[69239] in North American Network Operators' Group
Re: the value of reverse address lookups?
daemon@ATHENA.MIT.EDU (Andrew - Supernews)
Wed Mar 31 22:22:28 2004
To: nanog@merit.edu
In-Reply-To: <20040401022912.GT37789@skywalker.creative.net.au> (Adrian
Chadd's message of "Thu, 1 Apr 2004 10:29:12 +0800")
Date: Thu, 01 Apr 2004 04:16:51 +0100
From: "Andrew - Supernews" <andrew@supernews.net>
Errors-To: owner-nanog-outgoing@merit.edu
>>>>> "Adrian" == Adrian Chadd <adrian@creative.net.au> writes:
Adrian> if you reverse resolve, then some registry somewhere (ARIN,
Adrian> RIPE, APNIC, etc) recognises that network as having 'valid'
Adrian> contact details and has assigned someone reverse authority.
Adrian> It stops some IP block hijackers - if you find the right
Adrian> peer, you can just pop up for a bit, say "hi! I'm foo/12!",
Adrian> start spamming from a few /16's worth of IPs, then drop away
Adrian> after an hour.
This tactic is often bandied about - but given the number of people
and sites that track BGP changes, why does no one produce any evidence
of it actually happening?
Adrian> In practice, at least with IP block hijackers, they'll either
Adrian> (a) hijack a smaller chunk of a registered/announced ip
Adrian> network, complete with nameservers, or
Adrian> (b) they'll find a registered but un-announced ip network,
Adrian> with the in-addr authoritative nameservers inside said
Adrian> network, and just pop up for spamming there.
Most commonly, IP space hijackers start by falsely updating the
registration info at the RIR, and/or forging letters of authority
purporting to allow them to announce the block, and work from there.
--
Andrew, Supernews
http://www.supernews.com