[77817] in North American Network Operators' Group
Re: [unisog] Collecting PTR names rather than IP addresses (Was: Re: IRC Bot list (cross posting))
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Feb 9 12:04:25 2005
To: UNIversity Security Operations Group <unisog@lists.sans.org>
Cc: nanog@nanog.org
In-Reply-To: Your message of "Wed, 09 Feb 2005 12:11:16 GMT."
<1107951076.23423.42.camel@ketil>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 09 Feb 2005 12:03:10 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1107968590_3925P
Content-Type: text/plain; charset=us-ascii
On Wed, 09 Feb 2005 12:11:16 GMT, Ketil Froyn said:
> > > http://www.albany.edu/~ja6447/hacked_bots8.txt
>
> Isn't it a good idea to collect the IP addresses rather than the ptr
> name? For instance, if I were an evil person in control of the ptr
> record of my own IP, I could easily make the name something like
> 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
> be sure you got the right details!
>
> Something like this is probably not very widespread (has anyone seen it
> in practice?), but I still think that for tracking purposes, ptr records
> are useless. IMHO.
The kiddies have been doing it for *years* on IRC to make their hostnames show
up as various 31337 values on a /who. In fact, if you know what you're doing
you don't even need control of the PTR record - many older versions of BIND
were incredibly susceptible to DNS cache poisoning.
--==_Exmh_1107968590_3925P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFCCkJOcC3lWbTT17ARAjwUAJ9RdMKxVNvKMWCCgsR416JKmsPxsACgnF6Y
1oLa9sZHgLIoKocQ7dkK2hs=
=MfzE
-----END PGP SIGNATURE-----
--==_Exmh_1107968590_3925P--
