[Dshield] IP Spoofing question
security at admin.fulgan.com
Fri Feb 20 15:20:52 GMT 2004
Nope, there is no requirement for an IP address to have a
corresponding PTR record. It is, however, considered "good netiquette"
to do so. In practice, however, many companies don't bother and many
others simply can't: they have been assigned a fractional class C
block and have therefore no control over the reverse.
However, you should be able to make a WHOIS query on these IPs and
kown who they where assigned to (netblock, company, etc.) You'll need
to run that query against all regional registries actually: ARIN,
APNIC, RIPE and LACNIC. If the address is show as belonging to IANA,
then it means it has not been attributed.
Now, one thing you should know: some larger spamgangs actually
"hijack" IP ranges that they don't own. This is done by having a
border router advertise the said range to neighbors via BGP (Border
Gateway Protocol): a protocol used to dynamically create routing
tables between carriers. The spammers just inject the new range in the
normal BGP flow, use it for a while and then cut it before anyone can
really notice. And what you end up with is spam coming from
apparently non-routed IP addresses and range that hasn't been
attributed to anyone.
PC> I'm investigating scanning activity related to
PC> MyDoom/follow-ons/etc. on our host network. At the moment I'm
PC> looking up host names, looking for trends in the sources and so
PC> forth, and getting the usual expected proportions (US, China,
PC> Brazil, France, assorted Eastern European nations). However, I'm
PC> seeing quite a bit of returns with no DNS pointer records. Now,
PC> I'm no DNS expert--but I do know that per RFC any IP address which
PC> is accessible from the internet has got to have a PTR. So does
PC> this imply that the addresses exist but were never assigned, or
PC> what? Why would I ever see traffic from these addresses? (nmap
PC> decoy scans come to mind)...
More information about the list