Saturday, February 25, 2012


DShield is an extension of the SANS Internet Storm Center and is a "distributed intrusion detection system for data collection and analysis", to quote their site. What this means, quite simply, is that DShield aggregates firewall logs submitted from all over the world, analyzes them, and makes the information available to anyone to use. What you'll find on the site is trending information on what ports are being probed and attacked and who the top attackers are. What makes it really interesting (and useful) is that if you are a contributor, you can see what IP addresses have been targeting you (via the My Reports page and if you so elect, daily summary emails.
To participate, which benefits not only yourself, but the NetSec community at large by increasing the pool of knowledge, you would do the following:

  1. Download and install a syslog server (for Windows, Kiwi from Solarwinds works well and is free).
  2. Point your broadband router firewall at it.
  3. Install the Dshield client and configure it and point it at your syslog file.
  4. Use Task Scheduler to run the client at least once a day and no more than once an hour. 
I left out a whole lot of niggling details there, but it's not that difficult to get up and running, there is documentation, and help is available by sending an email to the address provided if you can't get it going. Of course, if you're using some other type of firewall (like a Linux box and iptables) or want to send anonymized logs from a commercial firewall, you'll need to do a little more to get things set up.

The client, called cvtwin, has built in support for most of the major manufacturers of broadband equipment formats. My current router is a Buffalo, and cvtwin parses the logs nicely with no tweaking needed.

You can find the information and the client for download at You'll not only get some impressive insight into who's thumping your door (without all that manual log inspection), but you'll be helping the overall security of the Internet as well. What a bargain! =-)

No comments:

Blog Archive