Reminder: Proper use of DShield data
DShield currently only publishes one blocklist: http://www.dshield.org/block.txt . It removes some of the obvious false positives. Of course, like with any block list, you should still use it at your own risk.
In addition, we are publishing the "Highly Predictive Blocklists" (http://www.dshield.org/hpbinfo.html). These blocklists are currently experimental, and a new version of the software should actually be release shortly.
Finally, there are a number of other "lists". For example, the following list is quite popular:
http://www.dshield.org/ipsascii.html
Note the big disclaimer at the top of this list:
# ipsascii.html
# DO NOT USE AS BLOCKLIST
This list contains the top IPs, without any consideration to false positives.
Why don't we filter false positives?
Well, if it would be easy, we would do it. But first of all, DShield is a research tool. It has to provide consistent and complete data. In a particular case that came up today, a site was under DDoS attack. Our sensors picked up back scatter traffic and reported it to us. As a result, the site ended up in 'ipsascii.html'. I rather keep this type of activity in my database. Measuring backscatter is one thing we can do with our data. Another common false positive is P2P afterglow. But in case there is active scanning for P2P networks, we need to know what this afterglow looks like in order to substract it.
So again! stick to the recommended block lists. If you find an IP in our blocklist that shouldn't be there, let us know and we will remove it ASAP. But any raw data associated with the IP address will remain in our database. Finding an IP address in our database doesn't mean automatically that they are an "attacker" or "evil". To figure out what is happening, we need to look at the data in more detail.
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
# updated: Tue Mar 13 02:27:52 2007 UTC
Is there a version that's actively maintained somewhere?
(Sorry if this is a double post; I don't think my first attempt went through.)
David Brodbeck
May 29th 2008
1 decade ago
Scott
May 31st 2008
1 decade ago