Hi, I believe the dshield blocklist should be installed on every firewall on all internet facing machines. You are doing an excellent job! I have also included it in FireHOL Level1 (http://iplists.firehol.org/?ipset=firehol_level1). However, since this list is the outcome of firewall and IDS logs, mainly logging packets that didn't go through, how do you know it is not poisoned? Poisoning in large scale can be achieved, not by submitting to you fake logs, but by port scanning the internet with spoofed source IP addresses. For example, if someone starts sending billions of packets to random ports (or even well known monitored ports) spoofed to have source IPs Google addresses, are you going to blocklist Google? If not, how are you going to detect it? Thanks! Costa |
ktsaou 2 Posts |
thread locked Quote Subscribe |
Aug 30th 2015 5 years ago |
The dshield block list is only the top 20 attacking networks. I believe this is based more on the number of targets than the number of packets. Currently the lowest number of attacks from an ip on that list is 870 |
BlairMckee 2 Posts |
Thread locked. Quote |
Sep 5th 2015 5 years ago |
That is exactly my question. If I send a few million (or even billion) spoofed packets to at least 1000 hosts contributing logs, the source IP I used will suddenly appear in the dshield blocklist? If someone can do this (which is quite feasible, since he/she has 3 days to complete the task), then the list can be poisoned. Am I right, or is there anything used during the processing phase of the logs that will prevent it? |
ktsaou 2 Posts |
Thread locked. Quote |
Sep 6th 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!