Access denied and blockliss

Published: 2013-10-16
Last Updated: 2013-10-17 01:40:00 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

If you are surfing the Internet, minding your own business, and receive an access denied message, you might understandably wonder why. As one Internet surfer discovered, he was trying to go to a legitimate web site to book a service in a country he was planning on visiting. Imagine his surprise when he see the image below in his web browser!

Hmm, whatever could that mean? If I were him I would try to contact Dshield. It is almost as though the company was using a blocklist or blocklist that this user had been placed on by attacking other people on the Internet. As SANS Internet Storm Center Handlers we have access to the Dshield database, and can query it. Our recommended block list is public and located here:

https://isc.sans.edu/block.txt

However the IP address of our web surfer is not on that list. A query of Dshield does result in some hits, in fact there are 9, all from the 11th of October for port 80. Not exactly an aggressive attacker hacking his way across the Internet. My guess would be clicking on invalid links where there used to be web servers, leading to reports of dropped traffic from that IP address.

What we know is that a certain vendor that shall remain nameless for the time being is making use of Dshield data incorrectly and inappropriately, and they should stop. If you recognize this error message you know who you are. If you make use of this vendors equipment or software be advised that whatever feature you have turned on is blocking completely innocent users trying to buy your services. It is not making you any more secure at all. I am not fond of blocklists or blocklists at all, and this misuse is not a particularly good idea.

Let's be careful out there!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

1 comment(s)

Comments

Haha! I see this message appearing in some search engine indices, where the crawler's IP has quite understandably followed outdated links and hit DShield sensors. I guess that means the error message must be served up with 200 OK status which is also very wrong.

Diary Archives