[Gllug] [OT] Netgear DG834 and DOS attacks
Russell Howe
rhowe at siksai.co.uk
Wed Jul 20 17:06:41 UTC 2005
On Wed, Jul 20, 2005 at 12:51:04PM +0100, Wiehe, Simon wrote:
> > I would hope that you are not putting any trust in the domain name, only
> > the verified numerical IP address. Otherwise someone in Russia may be
> > receiving some undeserved complaints.
>
> No I did an nslookup on the ip address to find the source domain via a reverse DNS
> look up. That is where I got the domain from.
You can add a PTR record pointing anywhere you like if you control the
zone.
If you then checked that a forward lookup of the returned name resolved
to the IP address you originally looked up, then you could be fairly
confident.
The best way is to use whois, and look up the netblock there. You will
get to see the range the IP address falls within, and hopefully who it
is allocated to.
e.g.
$ nslookup 82.133.8.12
12.8.133.82.in-addr.arpa name = xiao.siksai.co.uk.
That doesn't really tell us much though, as 12.8.133.82.in-addr.arpa
could be controlled by anyone, returning PTR results that list any name
they wish.
$ nslookup xiao.siksai.co.uk
Name: xiao.siksai.co.uk
Address: 82.133.8.12
But, that says that the name 'xiao.siksai.co.uk' has an A record of
82.133.8.12, which matches the IP address we started with.
That says that the authoritative nameserver for xiao.siksai.co.uk lists
82.133.8.12 as the address for the name xiao.siksai.co.uk, which is a
bit more reliable.
Whois tells you even more...
$ whois 82.133.8.12
inetnum: 82.133.8.8 - 82.133.8.15
netname: NILDRAM-HOWER
Interestingly, if I do a whois lookup on me (NILDRAM-HOWER), I get:
$ whois -h whois.ripe.net NILDRAM-HOWER
inetnum: 82.133.8.8 - 82.133.8.15
netname: NILDRAM-HOWER
(as before)
But also
inetnum: 82.133.26.32 - 82.133.26.39
netname: NILDRAM-HOWER
No idea what these addresses are for - I guess it's from when I was half
signed up to a second account, before I realised I could just transfer
everything over to the new address. Unfortunately, the range isn't
routed to me :)
whois also tells you who to contact regarding the host at that IP
address:
tech-c: AM365-RIPE
nic-hdl: AM365-RIPE
person: Adrian Mardlin
address: Nildram Ltd
--
Russell Howe | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list