[unisog] Collecting PTR names rather than IP addresses (Was: Re: IRC Bot list (cross posting))

Dave Dittrich dittrich at u.washington.edu
Wed Feb 9 19:43:27 GMT 2005

On Wed, 9 Feb 2005, Ketil Froyn wrote:

> > > http://www.albany.edu/~ja6447/hacked_bots8.txt
> Isn't it a good idea to collect the IP addresses rather than the ptr
> name? For instance, if I were an evil person in control of the ptr
> record of my own IP, I could easily make the name something like
> 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
> be sure you got the right details!
> Something like this is probably not very widespread (has anyone seen it
> in practice?), but I still think that for tracking purposes, ptr records
> are useless. IMHO.

Because of the fact that DNS<=>IP mappings can change over time, it
is best to always get both sides of the equation and note the time
at which you obtained this information (and timezone, and known time
reference source or skew from a trusted time source.)  This is most
important when also keeping other associated records, such as syslog
(which may include only IP or DNS, depending on what is doing the
logging), sniffer logs (typically only containing IP address, except
for captured keystrokes, which can have either DNS or IP), etc.

This mapping over time can be a real source of confusion.

Dave Dittrich                           Information Assurance Researcher,
dittrich at u.washington.edu               The iSchool
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5

More information about the unisog mailing list