[Dshield] Need some help testing
Tomas L. Byrnes
tomb at byrneit.net
Sun Jul 8 02:33:26 GMT 2007
The problem here is that you are referring to an IETF draft, which means
it is not even close to widely followed.
The APL RR type was a draft for 3 years, but never made it into the
spec. That would have been much more useful for filtering.
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Mar
> Matthias Darin
> Sent: Saturday, July 07, 2007 12:56 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Need some help testing
>
> Hello,
>
> Johannes Ullrich writes:
>
> > guess it comes down to that its not that easy to figure
> out if an IP
> > address is static or dynamic. For example, all of
> 65.173.218.0/24 is
> > statically assigned to SANS. We may be switching things
> around at time
> > internally, but try to avoid it. Just to avoid enumeration, we do
> > typically only setup reverse resolution for mail servers.
> >
> > Not exactly sure about the 4. IP. We use that /24 since
> about 2002
> > or so. But its possible. Things move around.
> >
> > Discriminating against dynamic IPs is a good idea. But
> well, its not
> > always that easy to figure out whats dynamic :-(
>
> Actual block assignments are not considered in the
> determination of a dynamic IP address, only how the reverse
> domain name is reported an a lookup.
>
> Using the IETF draft as reference, all of the following are
> dynamic (explanations as to what makes them dynamic follow
> each example):
>
> 3.251.74.238 n003-000-000-000.static.ge.com
>
> Even though this has the reference of static in the RDN
> (reverse domain name), it has the first dot-quad (003) and
> the place holders (000) for the rest of the IP address in the RDN.
>
> 74.69.63.128 cpe-74-69-63-128.rochester.res.rr.com
>
> This one has all four dot-quads of the IP address in the RDN,
> plus the common identifier of CPE and the res (residential)
> identifier. Road Runner
> (rr.com) has a strict AUP against users sending mail directly
> from with in the residential block.
>
> 151.37.185.34 adsl-34-185.37-151.net24.it
>
> All four dot-quads present, plus the adsl identifier.
> Without the dot-quads, this one would be in a gray area.
>
> 230.104.9.35 reserved-multicast-range-NOT-delegated.example.com
>
> This one is reserved and not delegated, dynamic by the IETF draft.
>
> 219.114.99.190 p6190-ipad11okayamaima.okayama.ocn.ne.jp
>
> this one has the fourth dot-quad in the RDN and the RDN is
> questionable by the unusuality of the components on the RDN.
> Would be considered dynamic by at least 25%.
>
> 157.197.4.73 u73.ppp4.unitel.co.kr
>
> Fourth dot-quad present and the ppp identifier.
>
> 172.212.33.14 ACD4210E.ipt.aol.com
>
> Dynamic by AOL's AUP, All four dot-quads present in hex.
>
> 145.104.175.170 surfnet-nl.ipv4.ptr.145.104.175.170.invalid
>
> All four dot-quads present, ptr identifier present, invalid RDN
>
> 4.130.95.186 dialup-4.130.95.186.Dial1.Dallas1.Level3.net
>
> All four dot-quads present, dialup and dial identifier are
> also present.
>
> 210.143.79.199 199.79.143.210.in.addr.arpa.koutokuji.ne.jp
>
> All four dot-quads present, in.addr.arpa also present.
>
> 128.180.234.30 r234030.res.Lehigh.EDU
>
> Third and fourth dot-quads present. Residentual identifier (dorm
> connection) present.
>
> It is important to that that a dynamic IP address may still
> be valid for direct external connections (mail servers et
> all, very common in the UK).
> The key element is when there is no question by the way the
> RDN is layed out and a given provider's AUP.
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC. 56
> courses, SANS top instructors, and a great tools and
> solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
>
More information about the list
mailing list