North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: [unisog] Collecting PTR names rather than IP addresses (Was: Re: IRC Bot list (cross posting))
- From: Valdis.Kletnieks
- Date: Wed Feb 09 12:05:43 2005
On Wed, 09 Feb 2005 12:11:16 GMT, Ketil Froyn said:
> > > http://www.albany.edu/~ja6447/hacked_bots8.txt
>
> Isn't it a good idea to collect the IP addresses rather than the ptr
> name? For instance, if I were an evil person in control of the ptr
> record of my own IP, I could easily make the name something like
> 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
> be sure you got the right details!
>
> Something like this is probably not very widespread (has anyone seen it
> in practice?), but I still think that for tracking purposes, ptr records
> are useless. IMHO.
The kiddies have been doing it for *years* on IRC to make their hostnames show
up as various 31337 values on a /who. In fact, if you know what you're doing
you don't even need control of the PTR record - many older versions of BIND
were incredibly susceptible to DNS cache poisoning.
Attachment:
pgp00002.pgp
Description: PGP signature
|
