[unisog] Collecting PTR names rather than IP addresses (Was: Re:IRC Bot list (cross posting))

Joel Anderson Joel.Anderson at mainnerve.com
Wed Feb 9 19:02:30 GMT 2005


Yes, there are places using this practice and there is a product called
Adaptive DarkNet that tracks and blocks based on IP. Basically works as
an adaptive egress filter. 

Joel Anderson


The information contained in this e-mail message is confidential
information intended only for the use of the individual or entity named
above.  If the reader of this message is not the intended recipient, or
the employee or agent responsible to deliver it to the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this communication is strictly prohibited.

 
 
 
-----Original Message-----
From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
Sent: Wednesday, February 09, 2005 10:03 AM
To: UNIversity Security Operations Group
Cc: nanog at nanog.org
Subject: Re: [unisog] Collecting PTR names rather than IP addresses
(Was: Re:IRC Bot list (cross posting)) 

On Wed, 09 Feb 2005 12:11:16 GMT, Ketil Froyn said:
> > > http://www.albany.edu/~ja6447/hacked_bots8.txt
> 
> Isn't it a good idea to collect the IP addresses rather than the ptr
> name? For instance, if I were an evil person in control of the ptr
> record of my own IP, I could easily make the name something like
> 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can
never
> be sure you got the right details!
> 
> Something like this is probably not very widespread (has anyone seen
it
> in practice?), but I still think that for tracking purposes, ptr
records
> are useless. IMHO.

The kiddies have been doing it for *years* on IRC to make their
hostnames show
up as various 31337 values on a /who.  In fact, if you know what you're
doing
you don't even need control of the PTR record - many older versions of
BIND
were incredibly susceptible to DNS cache poisoning.





More information about the unisog mailing list