Security Incidents mailing list archives
Re: Packet from port 80 with spoofed microsoft.com ip
From: Rich Puhek <rpuhek () etnsystems com>
Date: Thu, 30 Jan 2003 11:20:19 -0600
Thiago Conde Figueiró wrote:
On Wed, 29 Jan 2003 21:46:53 +1100 Michael Rowe <mrowe () mojain com> wrote: MR> I received a packet on my cable modem today, allegedly from MR> microsoft.com: (snip) MR> $ host 207.46.249.190 MR> Name: www.domestic.microsoft.com MR> Address: 207.46.249.190 MR> Aliases: microsoft.com microsoft.net www.us.microsoft.com One should not trust reverse DNS for identification. The administrator for 249.46.207.in-addr.arpa could spoof that response.
Very true.
I'm not saying the packet didn't come from there, as I didn't bother checking. But that verification should be done with the proper authority (whois @internic.net, perhaps?).
#whois 207.46.249.190 OrgName: Microsoft Corp OrgID: MSFT NetRange: 207.46.0.0 - 207.46.255.255 CIDR: 207.46.0.0/16 NetName: MICROSOFT-GLOBAL-NET NetHandle: NET-207-46-0-0-1 Parent: NET-207-0-0-0-0 NetType: Direct Assignment (snip) That answers that question very quickly. --Rich _________________________________________________________ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: rpuhek () etnsystems com _________________________________________________________ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Packet from port 80 with spoofed microsoft.com ip Michael Rowe (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Chris Wilkes (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Thiago Conde Figueiró (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Rich Puhek (Jan 30)
- Re: Packet from port 80 with spoofed microsoft.com ip H C (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Keith Owens (Jan 30)
- Message not available
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Russell Fulton (Jan 31)
- Message not available
- Message not available
- <Possible follow-ups>
- RE: Packet from port 80 with spoofed microsoft.com ip NESTING, DAVID M (SBCSI) (Jan 29)