[Dshield] Odd traceroute, I *think* I know what's going on, but not sure.

Jon Kibler Jon.Kibler at aset.com
Wed Oct 8 17:34:31 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brenden Walker wrote:
> I was checking out a snort log entry, and thought this was odd.
> 
>  
> 
> traceroute to 210.86.238.70 (210.86.238.70), 30 hops max, 40 byte packets
> 
>  1  10.49.64.1 (10.49.64.1)  11.158 ms  11.016 ms  11.023 ms
> 
>  
> 
> ...various hops, then this:
> 
>  
> 
> *13  localhost (123.30.74.2)  647.139 ms 652.404 ms  657.893 ms *
> 
> 14  gridportal.ioit-hcm.ac.vn (210.86.238.70) 642.764 ms  660.164 ms 
> 490.590 ms
> 
>  
> 
>  
> 
> When I do the same traceroute from a different network on a windows box,
> it shows my local computer name in place of localhost.
> 
>  
> 
> What I think this means is that some doofus in Vietnam (addresses owned
> by Vietnamese ISP) named a router localhost?  I could see windoze
> translating that into the local computer name/domain.
> 
>  
> 
> Just the first time I've noticed this, anything to worry about?
> 
> 

Well, it doesn't mean that the router is named 'localhost'... rather, it
means that someone set up DNS to reply 'localhost' for
2.74.30.123.in-addr.arpa. In other words, the zone 30.123.in-addr.arpa
has a pointer record that reads:
2.74	IN	PTR	localhost.

Hope this clarifies it for you.

Jon K.
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjs7ycACgkQUVxQRc85QlPChwCfSQ5GreXcDu9Wx+mv8cW050Xi
1jAAniTWzR/wusLlHLcbwyQS0EiWOLWa
=PTDd
-----END PGP SIGNATURE-----




=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the Dshield mailing list