Re: Frequent offenders list

["Johannes Ullrich" <jullrich () euclidian com>]

> Thanks to everyone who responded... the verdict is definitely dshield. I
> was considering making it standard practice to block these addresses at
> my firewall and update on a weekly basis.  I'm interested in what others
> think about this - recommended/valuable or not?  So far I haven't seen
> that the list of addresses at dshield match any of those that are
> portscanning us but I figured it couldn't hurt.

Vinod Yegneswaran, a student at the Univ. of Wisconsin, just wrote a
paper looking into this question:
http://www.dshield.org/WisconsinDShieldPaper.pdf

If you intent to use the list for blocking, I recommend our 
official block list. See http://www.dshield.org/block_list_info.html
for more details.

The '100 targets' list was setup after people asked for a more
extensive blocklist. So you can give it a try and see how it works
for you. 

Using a list based on correlated data from a large user group makes
spoofing harder but not impossible. While the block list is regularly
reviewed for 'sane-ness', the '100 targets' list is too large to
do the same.

Usually, I am discouraging the use of the top 10 list, as it is too
limited. 

Another note: While the data feeds from DShield are free to use, we
hope you find them useful enough to contribute to the system by 
sending your own logs.


-- 
--------------------------------------------------------------------
jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

Attachment: _bin
Description: