Internet Storm Watchers

    January 20, 2003

Most of us are content with the protection a firewall affords us, and don’t bother to analyze the data the programs collect. Which ports are being probed? How often? Is the same source IP repeated with alarming frequency? We rarely check. The information locked away in those unexamined log files could potentially prevent script kiddie rampages, stop the spread of malware, and even help track and prevent hacker break-ins. And yet those files go largely unanalyzed, especially by home users. The firewall does its job, and we’re satisfied.

Data, Data, Everywhere
Johannes Ullrich was certain that there was a way to use all that stored information. A plan of action sparked to life in his brain during the summer of 2000. When a DDoS attack was launched against eBay, primarily involving zombies, the lack of (and need for) a centralized place to analyze attack information became agonizingly apparent.

Ullrich considered the ISACs (Information Sharing and Analysis Center) model, becoming popular with the banking industry at the time, and a thought occurred to him – why not centralize computer attack information the way banks centralize their information? DShield was born later that year, over Thanksgiving weekend (“that’s what happens to me after too much turkey,” quipped Ullrich). DShield was born as a kind of ISAC for “the little guy.”

What is DShield?
DShield ( is a clearinghouse for firewall log reports. While it originally began as a volunteer effort, bandwidth and salaries are now funded by the SANS Institute. Just three people run DShield, including Johannes Ullrich who continues to lead the project.

The way it works is simple: individuals with firewalls or other intrusion detection systems download free DShield clients. Installation is a snap – I set up the CVTWIN universal client, for use with my ZoneAlarm firewall, in less than five minutes. The client software regularly parses firewall log files and formats the data, yet doesn’t interfere in any way with the operation of the firewall.

Users can automate log file submissions or they can choose to send in logs manually. Using the simple directions on the DShield site, I set my scheduler to automatically send my log files information to DShield on a daily basis. Firewall admins can also select the “Fightback” option, which allows DShield to use their submitted information to help users fight back against attackers.

Information from a single firewall often has little meaning by itself; when combined with many other firewall logs, however, it can highlight important trends and potential problems. Ullrich estimates that around 2000 users report their data daily, while the number of registered uses is around 38,000. Between 200,000 and 500,000 target IPs are reported each day. Since DShield accepts a large number of anonymous reports every day, it’s difficult to quantify the number of systems involved. Submissions are numerous -enough to make patterns apparent in the swirling chaos of numbers.
How is the information used?

The client software from DShield is designed to parse log files and extract date, sourceip, source port, targetip, target port, protocol, and flags. When a particular IP address racks up an outstanding number of port probes, DShield reports the situation to the offender’s ISP. Numbers make a difference. If data proves that one IP address has probed hundreds of thousands of system ports, then there is a strong case for action.

“DShield provides a simple and effective method for users to “push back” against the ubiquitous scanning activity,” says Ullrich. “Not only do users contribute to the early warning system, but we also notify ISPs of infected machines in a standard format to hopefully ease the cleanup of infected machines.”

This isn’t a heartless quest to get users kicked off their ISPs, however. “I see the machines listed as “attacker” more as “victims” themselves,” says Ullrich.

In many cases, the attacker literally is a victim. Many attacking computers are infected with malicious programs that cause them to unwittingly aid hackers or pointlessly propagate through unguarded ports. Many owners aren’t aware of what their computers are up to, and they’re grateful when they find out what’s wrong so they can fix the problem.

Is it safe?
Some Internet users might want to participate in DShield’s program, but may worry that their log files could somehow be used against them. Is it dangerous to submit detailed firewall log information to DShield? Ullrich doubts it. If a hacker intercepted email during data submission to DShield, then “the interceptor would just know that the machine is secured by a firewall and should probably not be scanned.”

Those who are still concerned about email interception may choose to copy and paste their log files into a submission form and send them in that way.

Since firewall information is used to verify port probing by particular IP addresses belonging to people with unknown motives, DShield client users can submit anonymously. Instead of revealing their true IP addresses, they can opt to have the first byte changed to “10” so their real IP addresses are not revealedin Fightback documents. Every opportunity is afforded the submitter to stay secure and anonymous.

Data in action
In addition to its watchdog role, DShield also provides useful data to the SANS Institute’s Internet Storm Center ( Here, firewall log data is interpreted and displayed as graphs and tables, along with noteworthy trends.

It’s possible to view data according to country of origin. Interestingly, port-scanning activity often varies geographically. This is especially true when viruses or worms propagate from a country of origin and spread outwards.

Back at the DShield site, visitors can learn about particularly active worms and viruses, see the “most popular” scanned ports, find out who the top attacking IP address is, and view the IP addresses of the “10 Most Wanted” port scanners, including the number of ports the offenders have scanned. The “Are You Cracked?” link quickly compares your IP address to the DShield’s database of attackers. DShield’s Block List provides a range of addresses with a history of suspicious activity. If you maintain a block list on your firewall, DShield’s list helps you quickly identify problem IP addresses and block them before they reach your system.

What’s Next
Despite the impressive amount of interpretive data available through both SANS and DShield, Ullrich still hopes to expand DShield’s offerings. There are plans in the works to improve summary data for users, and possibly to add user groups who will be able to share data. Additional plans include data collection expansion, and to perhaps include full packet content collection and analysis, as well as log analysis for specific applications.What does DShield hope to ultimately accomplish? “To become the ultimate early warning system for Internet attacks and to ease/speed up the cleanup of infected machines,” says Johannes Ullrich. It’s a noble goal, and one that seems readily within DShield’s grasp.

Would you like to “push back” against firewall scanners with DShield? Join with thousands of other users who report their port information to DShield. Visit DShield at, or go straight to get more information on DShield’s firewall clients

Jackie Rosenberger is an editor with iEntry, Inc.