Re: Packet from port 80 with spoofed microsoft.com ip
From: Valdis.Kletnieks@vt.edu
Date: 01/30/03
- Previous message: incidents-help@securityfocus.com: "Returned post for incidents@securityfocus.com"
- In reply to: Thiago Conde Figueiró: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Next in thread: Rich Puhek: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Thiago Conde Figueiró <thiago.figueiro@ciphertech.com.br> From: Valdis.Kletnieks@vt.edu Date: Wed, 29 Jan 2003 23:14:19 -0500
On Wed, 29 Jan 2003 15:12:01 -0200, Thiago Conde =?ISO-8859-1?Q?Figueir=F3?= said:
> One should not trust reverse DNS for identification. The
> administrator for 249.46.207.in-addr.arpa could spoof that response.
Damned good spoof if so:
% dig 249.46.207.in-addr.arpa soa
249.46.207.in-addr.arpa. 751 IN SOA dns.cp.msft.net. msnhst.microsoft.com. 2003012903 7200 900 7200000 3600
;; AUTHORITY SECTION:
46.207.in-addr.arpa. 53126 IN NS DNS2.cp.msft.net.
46.207.in-addr.arpa. 53126 IN NS DNS1.TK.msft.net.
46.207.in-addr.arpa. 53126 IN NS DNS1.SJ.msft.net.
46.207.in-addr.arpa. 53126 IN NS DNS1.DC.msft.net.
46.207.in-addr.arpa. 53126 IN NS DNS1.cp.msft.net.
;; ADDITIONAL SECTION:
DNS2.cp.msft.net. 237 IN A 207.46.138.21
DNS1.TK.msft.net. 114212 IN A 207.46.245.230
DNS1.SJ.msft.net. 114212 IN A 65.54.248.222
DNS1.DC.msft.net. 114212 IN A 207.68.128.151
DNS1.cp.msft.net. 114212 IN A 207.46.138.20
Which of course still doesn't prove that it wasn't a backscatter packet
from a forged SYN, or a forged SYN+ACK...
-- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
- application/pgp-signature attachment: stored
- Next message: Keith Owens: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Previous message: incidents-help@securityfocus.com: "Returned post for incidents@securityfocus.com"
- In reply to: Thiago Conde Figueiró: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Next in thread: Rich Puhek: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
