Im wondering how many of you use Bogon Lists and http://www.dshield.org/top10.html type lists on your routers? Im curious to know if you are an ISP with customers or backbone provider or someone else? I have a feeling not many people use these on routers? Im wondering why or why not?
Ive never used them on my routers although I work for a new isp/cable provider. Im thinking it would make my users happy to use them though.
alsato
I can comment on the dshield list.
I have seen this before. I am checking one particular IP on my network that has a very popular freehost on it. Checking the load balancer IP (connections cannot be originated from this IP) – it shows that there were 13 attacks initiated from the IP, and 7 targets. Whatever their algorithm is, it doesn’t seem reliable enough for me to trust it if an IP that can not originate connections is listed as an attacker (albeit small on their list)
–Phil
I do not recommend adding every IP listed at DShield to your filter.
We do publish a 'block list', of the worst networks (based on reports
for the last 5 days).
Quick note on our methods: We basically aggregate firewall logs and
offer summarized reports. The reports should allow everyone to apply
their own judgment.
For the block list:
http://www.dshield.org/block_list_info.html
Alsato,
I have recently begun using Bogon Lists myself, after some research and
convincing advice I received from members of this list. However, I do
not agree with the terminology. A Bogon List is absolute (termed from
Bogus, derived from bogus or unreal). The only addresses I would place
in this list are address blocks that have not been assigned�adding 1918
at borders. Other routes, determined malevolent or non-existent should
be configured case-by-case. I don�t believe I would trust any source as
definitive. It has already proven a valuable measure against unwanted
traffic, as you can see in a one-week timespan:
Extended IP access list 120 (Compiled)
permit tcp any any established (243252113 matches)
deny ip 0.0.0.0 1.255.255.255 any (825328 matches)
deny ip 2.0.0.0 0.255.255.255 any (413487 matches)
deny ip 5.0.0.0 0.255.255.255 any (410496 matches)
deny ip 7.0.0.0 0.255.255.255 any (413621 matches)
deny ip 10.0.0.0 0.255.255.255 any (1524547 matches)
deny ip 23.0.0.0 0.255.255.255 any (411623 matches)
deny ip 27.0.0.0 0.255.255.255 any (414992 matches)
deny ip 31.0.0.0 0.255.255.255 any (409379 matches)
deny ip 36.0.0.0 1.255.255.255 any (822904 matches)
deny ip 39.0.0.0 0.255.255.255 any (415316 matches)
deny ip 41.0.0.0 0.255.255.255 any (412452 matches)
deny ip 42.0.0.0 0.255.255.255 any (408982 matches)
deny ip 49.0.0.0 0.255.255.255 any (412448 matches)
deny ip 50.0.0.0 0.255.255.255 any (411544 matches)
deny ip 58.0.0.0 0.255.255.255 any (409797 matches)
deny ip 59.0.0.0 0.255.255.255 any (409663 matches)
deny ip 60.0.0.0 0.255.255.255 any (411317 matches)
deny ip 69.0.0.0 0.255.255.255 any (409853 matches)
deny ip 70.0.0.0 1.255.255.255 any (833182 matches)
deny ip 72.0.0.0 7.255.255.255 any (3300703 matches)
deny ip 82.0.0.0 1.255.255.255 any (828636 matches)
deny ip 84.0.0.0 3.255.255.255 any (1650688 matches)
deny ip 88.0.0.0 7.255.255.255 any (3301130 matches)
deny ip 96.0.0.0 31.255.255.255 any (13193345 matches)
deny ip 169.254.0.0 0.0.255.255 any (204893 matches)
deny ip 172.16.0.0 0.15.255.255 any (48290 matches)
deny ip 192.0.2.0 0.0.0.255 any (201 matches)
deny ip 192.168.0.0 0.0.255.255 any (326367 matches)
deny ip 197.0.0.0 0.255.255.255 any (409469 matches)
deny ip 198.18.0.0 0.1.255.255 any (3201 matches)
deny ip 201.0.0.0 0.255.255.255 any (410619 matches)
deny ip 222.0.0.0 1.255.255.255 any (823491 matches)
deny ip 223.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any (13165320 matches)
permit ip any any (600152250 matches)
For more detailed information on the subject matter, contact Rob Thomas
or John Brown�also NANOG members.
Good luck with you endeavors; you�re on the right track.
Jeff
PGP: 0x54B1A25C
"There are 10 types of people:
those that understand binary,
and those that do not.
I looked up a nameserver that I once worked with and found that it is
"attacking" from port 53. Needless to say, it's not hacked, it's
answering queries.
Charles
Yes - DSHEILD has our ORSC root server listed as well. I thought that was hilarious.
"I do not recommend adding every IP listed at DShield to your filter"
/understatement.
I took a short while to peruse the data collected and distributed by
DShield. I don't believe I need to go into the many reasons (I'm sure
you know yourself) why this information is completely unreliable, but
worse, possibly damaging. Offering this data, backed up by SANS name for
credibility, might entice a novice engineer to act upon it.
This:
"Disclaimer
DShield currently employs as little filtering of incoming reports as
possible. Most reports are sent anonymously. We do not know if these
logs are truthful, or if the firewall configuration was correct.
DShield.org will attempt to protect the identity of the submitter. If
you have a question regarding a specific target or source IP, please
send an e-mail to info@dshield.org." is insufficient
and-IMHO-irresponsible.
That said, I do believe your motives and purpose is worthwhile, but the
process completely undermines them both. If you're interested in
retooling the scripts and using registered and credible sources, I would
not only offer assistance in the effort but endorse it as well.
Jeff Nelson
PGP: 0x54B1A25C
"There are 10 types of people:
those that understand binary,
and those that do not.
"I do not recommend adding every IP listed at DShield to your filter"
/understatement.I took a short while to peruse the data collected and distributed by
DShield. I don't believe I need to go into the many reasons (I'm sure
you know yourself) why this information is completely unreliable, but
worse, possibly damaging.
/overstatement 
DShield data is not 'completely unreliable'. However, in order to use
it, one has to understand and take into account how it is collected.
If you find one of your machines listed as 'attackers', you may want
to take a closer look at the reports. If it turns out that the machine
in question is your DNS server, and the reports listed are port 53
requests, you can probably assume that everything is fine, in particular
if there are only a few reports.
We (DShield) don't apply any filters, but this doesn't indicate that you
shouldn't. We do no apply any filters because we do not know your network
configuration.
In several cases, we added IPs to our 'false positive' list of IPs which
we consider as common sources of false positive reports. For example,
root DNS servers are on this list, some large load balancers and some
port scan sites (Shields Up...)
"/overstatement" -- fair enough. I don't mean to diminish the effort.
I guess it is the unused potential that gets under my skin here. This
could actually be an extremely useful tool for research if the data had
some sense of accountability.
"one has to understand and take into account how it is collected"
Based on your methods of collection, with minimal work, one could make
167.216.198.40 #1 on Most Wanted list (assuming sans.org is not on the
false positive's list).
Anyway, that's my $.02... I'll mind my own business now
GL,
j
Some might beg to differ.