Re: Packet from port 80 with spoofed microsoft.com ip

[Rich Puhek <rpuhek () etnsystems com>]

Thiago Conde Figueiró wrote:
> On Wed, 29 Jan 2003 21:46:53 +1100
> Michael Rowe <mrowe () mojain com> wrote:
>
> MR> I received a packet on my cable modem today, allegedly from
> MR> microsoft.com:
> (snip)
>
> MR> $ host 207.46.249.190
> MR> Name: www.domestic.microsoft.com
> MR> Address: 207.46.249.190
> MR> Aliases: microsoft.com microsoft.net www.us.microsoft.com
>
>         One should not trust reverse DNS for identification.  The
> administrator for 249.46.207.in-addr.arpa could spoof that response.

Very true.

>         I'm not saying the packet didn't come from there, as I didn't bother
> checking.  But that verification should be done with the proper
> authority (whois @internic.net, perhaps?).
#whois 207.46.249.190

OrgName:    Microsoft Corp
OrgID:      MSFT

NetRange:   207.46.0.0 - 207.46.255.255
CIDR:       207.46.0.0/16
NetName:    MICROSOFT-GLOBAL-NET
NetHandle:  NET-207-46-0-0-1
Parent:     NET-207-0-0-0-0
NetType:    Direct Assignment
(snip)

That answers that question very quickly.


--Rich

_________________________________________________________

Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746

tel:   218.262.1130
email: rpuhek () etnsystems com
_________________________________________________________


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com