[Dshield] Need some help testing

Mar Matthias Darin BDarin at tanaya.net
Sat Jul 7 19:56:19 GMT 2007 

Hello, 

Johannes Ullrich writes: 

>   guess it comes down to that its not that easy to figure out if an IP
> address is static or dynamic. For example, all of 65.173.218.0/24 is
> statically assigned to SANS. We may be switching things around at time
> internally, but try to avoid it. Just to avoid enumeration, we do
> typically only setup reverse resolution for mail servers. 
> 
>   Not exactly sure about the 4. IP. We use that /24 since about 2002 or
> so. But its possible. Things move around. 
> 
>   Discriminating against dynamic IPs is a good idea. But well, its not
> always that easy to figure out whats dynamic :-(

Actual block assignments are not considered in the determination of a 
dynamic IP address, only how the reverse domain name is reported an a 
lookup. 

Using the IETF draft as reference, all of the following are dynamic 
(explanations as to what makes them dynamic follow each example): 

3.251.74.238     n003-000-000-000.static.ge.com 

Even though this has the reference of static in the RDN (reverse domain 
name), it has the first dot-quad (003) and the place holders (000) for the 
rest of the IP address in the RDN. 

74.69.63.128     cpe-74-69-63-128.rochester.res.rr.com 

This one has all four dot-quads of the IP address in the RDN, plus the 
common identifier of CPE and the res (residential) identifier.  Road Runner 
(rr.com) has a strict AUP against users sending mail directly from with in 
the residential block. 

151.37.185.34    adsl-34-185.37-151.net24.it 

All four dot-quads present, plus the adsl identifier.  Without the 
dot-quads, this one would be in a gray area. 

230.104.9.35     reserved-multicast-range-NOT-delegated.example.com 

This one is reserved and not delegated, dynamic by the IETF draft. 

219.114.99.190   p6190-ipad11okayamaima.okayama.ocn.ne.jp 

this one has the fourth dot-quad in the RDN and the RDN is questionable by 
the unusuality of the components on the RDN.  Would be considered dynamic by 
at least 25%. 

157.197.4.73     u73.ppp4.unitel.co.kr 

Fourth dot-quad present and the ppp identifier. 

172.212.33.14    ACD4210E.ipt.aol.com 

Dynamic by AOL's AUP, All four dot-quads present in hex. 

145.104.175.170  surfnet-nl.ipv4.ptr.145.104.175.170.invalid 

All four dot-quads present, ptr identifier present, invalid RDN 

4.130.95.186     dialup-4.130.95.186.Dial1.Dallas1.Level3.net 

All four dot-quads present, dialup and dial identifier are also present. 

210.143.79.199   199.79.143.210.in.addr.arpa.koutokuji.ne.jp 

All four dot-quads present, in.addr.arpa also present. 

128.180.234.30   r234030.res.Lehigh.EDU 

Third and fourth dot-quads present.  Residentual identifier (dorm 
connection) present. 

It is important to that that a dynamic IP address may still be valid for 
direct external connections (mail servers et all, very common in the UK).  
The key element is when there is no question by the way the RDN is layed out 
and a given provider's AUP.

More information about the list mailing list