[Dshield] IP Spoofing question

Tony Earnshaw tonye at billy.demon.nl
Fri Feb 20 14:20:23 GMT 2004

fre, 20.02.2004 kl. 14.47 skrev Pete Cap:

> I'm investigating scanning activity related to MyDoom/follow-ons/etc.
> on our host network.  At the moment I'm looking up host names, looking
> for trends in the sources and so forth, and getting the usual expected
> proportions (US, China, Brazil, France, assorted Eastern European
> nations).  However, I'm seeing quite a bit of returns with no DNS
> pointer records.  Now, I'm no DNS expert--but I do know that per RFC
> any IP address which is accessible from the internet has got to have a
> PTR.

"Supposed to", not "got to".

>   So does this imply that the addresses exist but were never assigned,
> or what?


>   Why would I ever see traffic from these addresses?

Lazy ISPs (my ISP has PTR records for all static and dynamic IP numbers,
but there are plenty of ISPs who can't be bothered in this country) and
incompetent DNS admins, just as a couple of examples.

This has nothing to do with IP spoofing

>  (nmap decoy scans come to mind)...

It would be difficult to spoof an IP number for scans, because the info.
would never come back to the origin without so-called source routing.
snort would report if a packet were source routed and my own firewall
software, Netfilter, is configured to reject all such packets, along
with other dud ones.



mail: billy - at - billy.demon.nl

More information about the list mailing list