Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 010501.html (Request Expert securityfocus.com Support)

Re: Packet from port 80 with spoofed microsoft.com ip

From: <Valdis.Kletnieks(at)vt.edu>
Date: Wed Jan 29 2003 - 23:14:19 EST

On Wed, 29 Jan 2003 15:12:01 -0200, Thiago Conde =?ISO-8859-1?Q?Figueir=F3?= said:

> One should not trust reverse DNS for identification. The
> administrator for 249.46.207.in-addr.arpa could spoof that response.

Damned good spoof if so:

% dig 249.46.207.in-addr.arpa soa
249.46.207.in-addr.arpa. 751 IN SOA dns.cp.msft.net. msnhst.microsoft.com. 2003012903 7200 900 7200000 3600

;; AUTHORITY SECTION: 

46.207.in-addr.arpa.    53126   IN      NS      DNS2.cp.msft.net.
46.207.in-addr.arpa.    53126   IN      NS      DNS1.TK.msft.net.
46.207.in-addr.arpa.    53126   IN      NS      DNS1.SJ.msft.net.
46.207.in-addr.arpa.    53126   IN      NS      DNS1.DC.msft.net.
46.207.in-addr.arpa.    53126   IN      NS      DNS1.cp.msft.net.

;; ADDITIONAL SECTION:
DNS2.cp.msft.net.       237     IN      A       207.46.138.21
DNS1.TK.msft.net.       114212  IN      A       207.46.245.230
DNS1.SJ.msft.net.       114212  IN      A       65.54.248.222
DNS1.DC.msft.net.       114212  IN      A       207.68.128.151
DNS1.cp.msft.net.       114212  IN      A       207.46.138.20

Which of course still doesn't prove that it wasn't a backscatter packet from a forged SYN, or a forged SYN+ACK... 

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

  • application/pgp-signature attachment: stored
Received on Thu Jan 30 12:28:08 2003
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library