Security Basics mailing list archives
Re: Frequent offenders list
From: "Johannes Ullrich" <jullrich () euclidian com>
Date: Tue, 26 Nov 2002 07:16:13 -0500
Thanks to everyone who responded... the verdict is definitely dshield. I was considering making it standard practice to block these addresses at my firewall and update on a weekly basis. I'm interested in what others think about this - recommended/valuable or not? So far I haven't seen that the list of addresses at dshield match any of those that are portscanning us but I figured it couldn't hurt.
Vinod Yegneswaran, a student at the Univ. of Wisconsin, just wrote a paper looking into this question: http://www.dshield.org/WisconsinDShieldPaper.pdf If you intent to use the list for blocking, I recommend our official block list. See http://www.dshield.org/block_list_info.html for more details. The '100 targets' list was setup after people asked for a more extensive blocklist. So you can give it a try and see how it works for you. Using a list based on correlated data from a large user group makes spoofing harder but not impossible. While the block list is regularly reviewed for 'sane-ness', the '100 targets' list is too large to do the same. Usually, I am discouraging the use of the top 10 list, as it is too limited. Another note: While the data feeds from DShield are free to use, we hope you find them useful enough to contribute to the system by sending your own logs. -- -------------------------------------------------------------------- jullrich () euclidian com Collaborative Intrusion Detection join http://www.dshield.org
Attachment:
_bin
Description:
Current thread:
- Frequent offenders list netsec novice (Nov 22)
- Re: Frequent offenders list J . Reilink (Nov 25)
- Re: Frequent offenders list Johannes Ullrich (Nov 25)
- <Possible follow-ups>
- Re: Frequent offenders list netsec novice (Nov 25)
- Re: Frequent offenders list Johannes Ullrich (Nov 26)