[Gllug] [OT] Netgear DG834 and DOS attacks

Russell Howe rhowe at siksai.co.uk
Wed Jul 20 17:06:41 UTC 2005 

On Wed, Jul 20, 2005 at 12:51:04PM +0100, Wiehe, Simon wrote:
> >    I would hope that you are not putting any trust in the domain name, only
> > the verified numerical IP address. Otherwise someone in Russia may be
> > receiving some undeserved complaints.
> 
> No I did an nslookup on the ip address to find the source domain via a reverse DNS
> look up. That is where I got the domain from.

You can add a PTR record pointing anywhere you like if you control the
zone.

If you then checked that a forward lookup of the returned name resolved
to the IP address you originally looked up, then you could be fairly
confident.

The best way is to use whois, and look up the netblock there. You will
get to see the range the IP address falls within, and hopefully who it
is allocated to.

e.g.

$ nslookup  82.133.8.12
12.8.133.82.in-addr.arpa        name = xiao.siksai.co.uk.

That doesn't really tell us much though, as 12.8.133.82.in-addr.arpa
could be controlled by anyone, returning PTR results that list any name
they wish.

$ nslookup  xiao.siksai.co.uk
Name:   xiao.siksai.co.uk
Address: 82.133.8.12

But, that says that the name 'xiao.siksai.co.uk' has an A record of
82.133.8.12, which matches the IP address we started with.

That says that the authoritative nameserver for xiao.siksai.co.uk lists
82.133.8.12 as the address for the name xiao.siksai.co.uk, which is a
bit more reliable.

Whois tells you even more...

$ whois 82.133.8.12
inetnum:      82.133.8.8 - 82.133.8.15
netname:      NILDRAM-HOWER

Interestingly, if I do a whois lookup on me (NILDRAM-HOWER), I get:

$ whois -h whois.ripe.net NILDRAM-HOWER
inetnum:      82.133.8.8 - 82.133.8.15
netname:      NILDRAM-HOWER
(as before)

But also

inetnum:      82.133.26.32 - 82.133.26.39
netname:      NILDRAM-HOWER

No idea what these addresses are for - I guess it's from when I was half
signed up to a second account, before I realised I could just transfer
everything over to the new address. Unfortunately, the range isn't
routed to me :)

whois also tells you who to contact regarding the host at that IP
address:

tech-c:       AM365-RIPE

nic-hdl:      AM365-RIPE
person:       Adrian Mardlin
address:      Nildram Ltd

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list