Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Reminder: Proper use of DShield data InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Reminder: Proper use of DShield data

Published: 2008-05-28
Last Updated: 2008-05-28 21:04:35 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)
Once in a while, we receive requests to remove an IP from our "blocklist", only to find out that the particular IP address isn't in our blocklist. Usually, it turns out that someone is using part of our DShield list in a way they are not supposed to be used.

DShield currently only publishes one blocklist: . It removes some of the obvious false positives. Of course, like with any block list, you should still use it at your own risk.

In addition, we are publishing the "Highly Predictive Blocklists" ( These blocklists are currently experimental, and a new version of the software should actually be release shortly.

Finally, there are a number of other "lists". For example, the following list is quite popular:

Note the big disclaimer at the top of this list:

# ipsascii.html

This list contains the top IPs, without any consideration to false positives.

Why don't we filter false positives?

Well, if it would be easy, we would do it. But first of all, DShield is a research tool. It has to provide consistent and complete data. In a particular case that came up today, a site was under DDoS attack. Our sensors picked up back scatter traffic and reported it to us. As a result, the site ended up in 'ipsascii.html'. I rather keep this type of activity in my database. Measuring backscatter is one thing we can do with our data. Another common false positive is P2P afterglow. But in case there is active scanning for P2P networks, we need to know what this afterglow looks like in order to substract it.

So again! stick to the recommended block lists. If you find an IP in our blocklist that shouldn't be there, let us know and we will remove it ASAP. But any raw data associated with the IP address will remain in our database. Finding an IP address in our database doesn't mean automatically that they are an "attacker" or "evil". To figure out what is happening, we need to look at the data in more detail.

Keywords: blocklist dshield
2 comment(s)
Diary Archives