[4299] in WWW Security List Archive
Re: Access Logfile Question
daemon@ATHENA.MIT.EDU (Dennis Glatting)
Sat Feb 8 14:19:39 1997
From: Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>
Date: Sat, 8 Feb 97 07:50:14 -0800
To: "Paul F. Haskell" <phaskell@skyserv1.med.osd.mil>
cc: www-security@ns2.rutgers.edu
Reply-To: dennis.glatting@plaintalk.bellevue.wa.us
Errors-To: owner-www-security@ns2.rutgers.edu
> We are running reverse DNS from our server. We have observed the
> following entry in our access logfile:
>
> UNKNOWN_HOST - - [05/Jan/1997:05:20:05 -0500] "GET /index.html HTTP/1.0"
> 304 0
>
> In fact there are a number of these lines, 370 out of a 280K line
> logfile for last month to be more precise.
>
> Does anyone have any idea who this might be, how to find out who
> this is, and/or how this might happen?
>
Most likely it is a host without a DNS PTR record.
Unfortunately, this is not uncommon and is both unintentional
and intentional. Some companies do not put their firewalls in
DNS, practising security by obscurity. Sometimes the
addresses are used for dynamic assignment so their owner
(e.g., an ISP) does not place them in DNS. Some people put in DNS A
records but not the PTRs. Yet others are just plain lazy.
Another obscure possibility is the sender is using the private
IP address space. If they are using the private IP address space
and accessing your site across a public network, dare I say they
are stupid because it is unlikely a response can be routed back.
You can combat these problems by not allowing access if an IP
address cannot be reversed. This would help the Internet as a
whole because often the problem is someone's broken DNS or
laziness, i.e., if someone wants access, they'll have to fix their
DNS. :)
-dpg
