Threat Level: green Handler on Duty: Russ McRee

SANS ISC: dshield blocklist poisoning SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
dshield blocklist poisoning
Hi,

I believe the dshield blocklist should be installed on every firewall on all internet facing machines. You are doing an excellent job! I have also included it in FireHOL Level1 (http://iplists.firehol.org/?ipset=firehol_level1).

However, since this list is the outcome of firewall and IDS logs, mainly logging packets that didn't go through, how do you know it is not poisoned?

Poisoning in large scale can be achieved, not by submitting to you fake logs, but by port scanning the internet with spoofed source IP addresses.

For example, if someone starts sending billions of packets to random ports (or even well known monitored ports) spoofed to have source IPs Google addresses, are you going to blacklist Google? If not, how are you going to
detect it?

Thanks!

Costa
ktsaou

2 Posts
The dshield block list is only the top 20 attacking networks. I believe this is based more on the number of targets than the number of packets. Currently the lowest number of attacks from an ip on that list is 870 BlairMckee

2 Posts
That is exactly my question.

If I send a few million (or even billion) spoofed packets to at least 1000 hosts contributing logs, the source IP I used will suddenly appear in the dshield blocklist?

If someone can do this (which is quite feasible, since he/she has 3 days to complete the task), then the list can be poisoned.

Am I right, or is there anything used during the processing phase of the logs that will prevent it?
ktsaou

2 Posts

Sign Up for Free or Log In to start participating in the conversation!