[Dshield] Odd traceroute, I *think* I know what's going on, but not sure.

Brenden Walker BKWalker at drbsystems.com
Wed Oct 8 17:47:55 GMT 2008


> -----Original Message-----
> From: Jon Kibler [mailto:Jon.Kibler at aset.com]
> Sent: Wednesday, October 08, 2008 1:35 PM
> To: General DShield Discussion List; Brenden Walker
> Subject: Re: [Dshield] Odd traceroute, I *think* I know what's going
> on, but not sure.
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Brenden Walker wrote:
> > I was checking out a snort log entry, and thought this was odd.
> >
> >
<snip>
> > When I do the same traceroute from a different network on a windows
> box,
> > it shows my local computer name in place of localhost.
> >
> > What I think this means is that some doofus in Vietnam (addresses
> owned
> > by Vietnamese ISP) named a router localhost?  I could see windoze
> > translating that into the local computer name/domain.
> >
> >
> >
> > Just the first time I've noticed this, anything to worry about?
> >
> >
>
> Well, it doesn't mean that the router is named 'localhost'... rather,
> it
> means that someone set up DNS to reply 'localhost' for
> 2.74.30.123.in-addr.arpa. In other words, the zone 30.123.in-addr.arpa
> has a pointer record that reads:
> 2.74    IN      PTR     localhost.
>
> Hope this clarifies it for you.


Sure does, thanks!



More information about the Dshield mailing list