On Wed, 29 Jan 2003 15:12:01 -0200, Thiago Conde =?ISO-8859-1?Q?Figueir=F3?= said: > One should not trust reverse DNS for identification. The > administrator for 249.46.207.in-addr.arpa could spoof that response. Damned good spoof if so: % dig 249.46.207.in-addr.arpa soa 249.46.207.in-addr.arpa. 751 IN SOA dns.cp.msft.net. msnhst.microsoft.com. 2003012903 7200 900 7200000 3600 ;; AUTHORITY SECTION: 46.207.in-addr.arpa. 53126 IN NS DNS2.cp.msft.net. 46.207.in-addr.arpa. 53126 IN NS DNS1.TK.msft.net. 46.207.in-addr.arpa. 53126 IN NS DNS1.SJ.msft.net. 46.207.in-addr.arpa. 53126 IN NS DNS1.DC.msft.net. 46.207.in-addr.arpa. 53126 IN NS DNS1.cp.msft.net. ;; ADDITIONAL SECTION: DNS2.cp.msft.net. 237 IN A 207.46.138.21 DNS1.TK.msft.net. 114212 IN A 207.46.245.230 DNS1.SJ.msft.net. 114212 IN A 65.54.248.222 DNS1.DC.msft.net. 114212 IN A 207.68.128.151 DNS1.cp.msft.net. 114212 IN A 207.46.138.20 Which of course still doesn't prove that it wasn't a backscatter packet from a forged SYN, or a forged SYN+ACK... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 09:27:34 PST