[unisog] Collecting PTR names rather than IP addresses (Was: Re: IRC Bot list (cross posting))

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Feb 9 17:03:10 GMT 2005

On Wed, 09 Feb 2005 12:11:16 GMT, Ketil Froyn said:
> > > http://www.albany.edu/~ja6447/hacked_bots8.txt
> Isn't it a good idea to collect the IP addresses rather than the ptr
> name? For instance, if I were an evil person in control of the ptr
> record of my own IP, I could easily make the name something like
> 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
> be sure you got the right details!
> Something like this is probably not very widespread (has anyone seen it
> in practice?), but I still think that for tracking purposes, ptr records
> are useless. IMHO.

The kiddies have been doing it for *years* on IRC to make their hostnames show
up as various 31337 values on a /who.  In fact, if you know what you're doing
you don't even need control of the PTR record - many older versions of BIND
were incredibly susceptible to DNS cache poisoning.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050209/e5d059f0/attachment-0002.bin

More information about the unisog mailing list