> Thanks to everyone who responded... the verdict is definitely dshield. I > was considering making it standard practice to block these addresses at > my firewall and update on a weekly basis. I'm interested in what others > think about this - recommended/valuable or not? So far I haven't seen > that the list of addresses at dshield match any of those that are > portscanning us but I figured it couldn't hurt.
Vinod Yegneswaran, a student at the Univ. of Wisconsin, just wrote a paper looking into this question: http://www.dshield.org/WisconsinDShieldPaper.pdf If you intent to use the list for blocking, I recommend our official block list. See http://www.dshield.org/block_list_info.html for more details. The '100 targets' list was setup after people asked for a more extensive blocklist. So you can give it a try and see how it works for you. Using a list based on correlated data from a large user group makes spoofing harder but not impossible. While the block list is regularly reviewed for 'sane-ness', the '100 targets' list is too large to do the same. Usually, I am discouraging the use of the top 10 list, as it is too limited. Another note: While the data feeds from DShield are free to use, we hope you find them useful enough to contribute to the system by sending your own logs. -- -------------------------------------------------------------------- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
msg09734/pgp00000.pgp
Description: PGP signature