[Dshield] IP Spoofing question

Pete Cap peteoutside at yahoo.com
Fri Feb 20 13:47:32 GMT 2004

I'm investigating scanning activity related to MyDoom/follow-ons/etc. on our host network.  At the moment I'm looking up host names, looking for trends in the sources and so forth, and getting the usual expected proportions (US, China, Brazil, France, assorted Eastern European nations).  However, I'm seeing quite a bit of returns with no DNS pointer records.  Now, I'm no DNS expert--but I do know that per RFC any IP address which is accessible from the internet has got to have a PTR.  So does this imply that the addresses exist but were never assigned, or what?  Why would I ever see traffic from these addresses? (nmap decoy scans come to mind)...

Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.

More information about the list mailing list