nanog mailing list archives

Re: [unisog] Collecting PTR names rather than IP addresses (Was: Re: IRC Bot list (cross posting))

From: Valdis.Kletnieks () vt edu
Date: Wed, 09 Feb 2005 12:03:10 -0500

On Wed, 09 Feb 2005 12:11:16 GMT, Ketil Froyn said:

http://www.albany.edu/~ja6447/hacked_bots8.txt


Isn't it a good idea to collect the IP addresses rather than the ptr
name? For instance, if I were an evil person in control of the ptr
record of my own IP, I could easily make the name something like
1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
be sure you got the right details!

Something like this is probably not very widespread (has anyone seen it
in practice?), but I still think that for tracking purposes, ptr records
are useless. IMHO.


The kiddies have been doing it for *years* on IRC to make their hostnames show
up as various 31337 values on a /who.  In fact, if you know what you're doing
you don't even need control of the PTR record - many older versions of BIND
were incredibly susceptible to DNS cache poisoning.

Attachment: _bin
Description:

Current thread:

IRC Bot list (cross posting) J. Oquendo (Feb 08)
- Re: IRC Bot list (cross posting) Stephen J. Wilcox (Feb 08)
  - Re: IRC Bot list (cross posting) Gadi Evron (Feb 08)
  - Re: IRC Bot list (cross posting) Petri Helenius (Feb 09)
- Re: IRC Bot list (cross posting) Jim Popovitch (Feb 08)
  - Re: IRC Bot list (cross posting) Jim Popovitch (Feb 08)
  - Re: IRC Bot list (cross posting) william(at)elan.net (Feb 08)
    - Re: IRC Bot list (cross posting) Bill Nash (Feb 08)
    - Re: IRC Bot list (cross posting) william(at)elan.net (Feb 08)
    - Re: IRC Bot list (cross posting) Scott Weeks (Feb 08)
- Message not available
  - Re: [unisog] Collecting PTR names rather than IP addresses (Was: Re: IRC Bot list (cross posting)) Valdis . Kletnieks (Feb 09)
- Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting)) Ketil Froyn (Feb 11)
  - Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting)) bmanning (Feb 11)
    - Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting)) Gadi Evron (Feb 14)
  - Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting)) Adam Jacob Muller (Feb 11)
    - Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (cross posting)) Gadi Evron (Feb 14)
  - Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (crossposting)) Gadi Evron (Feb 14)
    - Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (crossposting)) Ketil Froyn (Feb 14)
    - Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (crossposting)) Kevin (Feb 14)
    - Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (crossposting)) Gadi Evron (Feb 14)
- <Possible follow-ups>
- RE: IRC Bot list (cross posting) Hannigan, Martin (Feb 08)

(Thread continues...)