Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dns-ish question.

From: "sodium" <sodiumlist () phreaker net>
Date: Fri, 30 May 2003 16:45:35 -0400
After the person finished the attack, he could have deleted the
name.domain.tld hostname from his dns server. That is why you can't resolve
it now. Some people also do this with IRC to avoid denial of service
attacks. They connect from an ip that reverses and forwards to foo.bar.com.
After the IRC server verifys they have connected from a real hostname. The
user will then delete the dns record or change the ip that the hostname
points to in the dns record. So if you try to ping the person's hostname, it
will go to whatever new ip the person has assigned that hostname to or wont
resolve. DNS is dynamic in a since, if someone connects an hour ago to your
server and his/her ip resolves to foo.bar.com, doesn't mean its going to
resolve to that now or even exist.

Hope that clears everything up,

sodium
mobsters.net

----- Original Message -----
From: "Zep" <zep () nemesis mmind net>
To: <security-basics () securityfocus com>
Sent: Thursday, May 29, 2003 10:23 PM
Subject: dns-ish question.




So I'm super paranoid guy and I always keep a pretty
close eye on my httpd logs... when I encounter this strange entry.
(or at least I think it's strange).  I get an entry that says :

name.domain.tld - - [28/May/2003:01:40:09 -0500] "OPTIONS * HTTP/1.0" 200

0


I'm guessing the entry itself implys the end person is poking around,
looking for misconfigurations, et al... but the strange part
to me is I can not  lookup name.domain.tld.   Is this some
sort of misguided... idea of security?    I could do a reverse
lookup to log, but...?   it seems very flakey to me.

I thought it was perhaps a misconfiguration for this particular site,
but today a friend of mine has a very similar sort of log entry, only
with a doj.gov domain.   Any thoughts?
thanks.
--
                                             - Zep
                                      (zep () nemesis mmind net)

Where are we going, and why am I in this handbasket?

--------------------------------------------------------------------------

-

--------------------------------------------------------------------------

--





---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: