Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))

• Previous message (by thread): Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))
• Next message (by thread): Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 11, 2005 at 03:45:52PM +0000, Ketil Froyn wrote:
> 
> > > http://www.albany.edu/~ja6447/hacked_bots8.txt
> 
> Isn't it a good idea to collect the IP addresses rather than the ptr
> name? For instance, if I were an evil person in control of the ptr
> record of my own IP, I could easily make the name something like
> 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
> be sure you got the right details!
> 
> Something like this is probably not very widespread (has anyone seen it
> in practice?), but I still think that for tracking purposes, ptr records
> are useless. IMHO.
> 
> Ketil

	PTR records are just as pointless as A records...
	in a secured DNS heirarchy, this is less of an issue
	since you have to spoof the entire delegation chain.
	so either trust the DNS (both forward and reverse)
	or not.  For forensics, collect the DNS lables and the
	IP addresses associated w/ them.

	and yes, i have seen DNS spoofing in the wild, both A
	and PTR, although A spoofing is much more pronounced.

--bill
	

• Previous message (by thread): Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))
• Next message (by thread): Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting))
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]