Security Basics mailing list archives
Re: dns-ish question.
From: "sodium" <sodiumlist () phreaker net>
Date: Fri, 30 May 2003 16:45:35 -0400
After the person finished the attack, he could have deleted the name.domain.tld hostname from his dns server. That is why you can't resolve it now. Some people also do this with IRC to avoid denial of service attacks. They connect from an ip that reverses and forwards to foo.bar.com. After the IRC server verifys they have connected from a real hostname. The user will then delete the dns record or change the ip that the hostname points to in the dns record. So if you try to ping the person's hostname, it will go to whatever new ip the person has assigned that hostname to or wont resolve. DNS is dynamic in a since, if someone connects an hour ago to your server and his/her ip resolves to foo.bar.com, doesn't mean its going to resolve to that now or even exist. Hope that clears everything up, sodium mobsters.net ----- Original Message ----- From: "Zep" <zep () nemesis mmind net> To: <security-basics () securityfocus com> Sent: Thursday, May 29, 2003 10:23 PM Subject: dns-ish question.
So I'm super paranoid guy and I always keep a pretty close eye on my httpd logs... when I encounter this strange entry. (or at least I think it's strange). I get an entry that says : name.domain.tld - - [28/May/2003:01:40:09 -0500] "OPTIONS * HTTP/1.0" 200
0
I'm guessing the entry itself implys the end person is poking around, looking for misconfigurations, et al... but the strange part to me is I can not lookup name.domain.tld. Is this some sort of misguided... idea of security? I could do a reverse lookup to log, but...? it seems very flakey to me. I thought it was perhaps a misconfiguration for this particular site, but today a friend of mine has a very similar sort of log entry, only with a doj.gov domain. Any thoughts? thanks. -- - Zep (zep () nemesis mmind net) Where are we going, and why am I in this handbasket? --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: dns-ish question. sodium (Jun 01)