Last Updated: 2008-05-28 21:04:35 UTC
by Johannes Ullrich (Version: 1)
DShield currently only publishes one blocklist: http://www.dshield.org/block.txt . It removes some of the obvious false positives. Of course, like with any block list, you should still use it at your own risk.
In addition, we are publishing the "Highly Predictive Blocklists" (http://www.dshield.org/hpbinfo.html). These blocklists are currently experimental, and a new version of the software should actually be release shortly.
Finally, there are a number of other "lists". For example, the following list is quite popular:
Note the big disclaimer at the top of this list:
# DO NOT USE AS BLOCKLIST
This list contains the top IPs, without any consideration to false positives.
Why don't we filter false positives?
Well, if it would be easy, we would do it. But first of all, DShield is a research tool. It has to provide consistent and complete data. In a particular case that came up today, a site was under DDoS attack. Our sensors picked up back scatter traffic and reported it to us. As a result, the site ended up in 'ipsascii.html'. I rather keep this type of activity in my database. Measuring backscatter is one thing we can do with our data. Another common false positive is P2P afterglow. But in case there is active scanning for P2P networks, we need to know what this afterglow looks like in order to substract it.
So again! stick to the recommended block lists. If you find an IP in our blocklist that shouldn't be there, let us know and we will remove it ASAP. But any raw data associated with the IP address will remain in our database. Finding an IP address in our database doesn't mean automatically that they are an "attacker" or "evil". To figure out what is happening, we need to look at the data in more detail.