Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Updated DShield Blocklist - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated DShield Blocklist

Earlier today, I updated how our "block list" is generated. The idea behind this is to avoid some false positives and to make the list more meaningful. As usual, please note that this list is "as is" and use it at your risk. There will likely be some false positives from time to time, and of course, your definition of "false positives" may be different than ours.

The list, like before, lists /24 networks. We found in the past that this network size provides a reasonable balance between false positives and blocking sets of known misbehaving IPs efficiently.

Networks will be de-listed on request. We will not review the request for "maliciousness". But if you know you are listed, and you ask us to remove you, we will do so as soon as possible. 

To compile the list, we rank /24 networks based on the number of targets they attack. We only include reports if we received them from multiple submitters. Some common false positives are removed and not included in the ranking.

Of course, you can make up your lists using whatever data we provide. But please be aware that the purpose of our data is research, not blocking. We do not filter data displayed on our site for false positives. It is up to you to decide what is a false positive. For example, we do include "research scans" in our data, and even in our blocklists. Some may consider this a false positive.

"Top 10" blocklist do block Internet-wide, common scans. They will not protect you from targeted scans, and they will not protect you from all scans of this type. Please understand these limitations before applying this blocklist. The block list is updated once an hour.

URL of our blocklist: https://isc.sans.edu/feeds/block.txt

For more detailed data, use our API: https://isc.sans.edu/api

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3532 Posts
ISC Handler
Is the Palo Alto block list the same or is there a correlation between the lists? From this diary; "Subscribing to the DShield Top 20 on a Palo Alto Networks Firewall". Also, ss it possible to know why these ranges are on your list?

Thanks!
Jason
Jason

1 Posts
The list in the Palo Alto diary is the same list. This is the only blocklist we publish. At this point, there isn't an easy way to retrieve all the records from a /24, but I am working on that.
Johannes

3532 Posts
ISC Handler
Since the purpose of the list is supposed to be more for research rather than for blocking, have you considered changing the name of the list? Just a thought.
Anonymous
Quoting Anonymous:Since the purpose of the list is supposed to be more for research rather than for blocking, have you considered changing the name of the list? Just a thought.


A research-oriented distributed intrusion detection system named "dshield" sounds sensible.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!