Firewall Wizards mailing list archives
Re: "Re: a fun new tool from us... & 'Today's occurances' "
From: Kaptain <kaptain () kaptain com>
Date: Wed, 28 Apr 1999 18:54:27 -0700 (PDT)
On Wed, 28 Apr 1999, Paul D. Robertson wrote:
On Tue, 27 Apr 1999, Philip S Holt, Security Engineer / Network Engineer wrote:Here's the deal. @ 16:40:05 BOF reports ... (mjr's little gem) FTP connection from 209.233.142.18 ... nslookup reveals that this is the University Of Washington.Not on my system, but I prefer dig - [root@gargoyle root]# dig 18.142.233.209.in-addr.arpa any any | more ; <<>> DiG 8.1 <<>> 18.142.233.209.in-addr.arpa any any ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUERY SECTION: ;; 18.142.233.209.in-addr.arpa, type = ANY, class = ANY ;; ANSWER SECTION: 18.142.233.209.in-addr.arpa. 1h56m45s IN PTR adsl-209-233-142-18.dsl.lsan03.pacbell.net. ;; AUTHORITY SECTION: 142.233.209.in-addr.arpa. 1h56m45s IN NS ns1.pbi.net. 142.233.209.in-addr.arpa. 1h56m45s IN NS ns2.pbi.net. ;; ADDITIONAL SECTION: ns1.pbi.net. 1d23h56m40s IN A 206.13.28.11 ns2.pbi.net. 1d23h56m40s IN A 206.13.29.11 Both authoritative servers return the same data Whois corraborates this: [root@gargoyle root]# whois 209.233.142.18 () whois arin net [whois.arin.net] Pacific Bell Internet Services,Inc. (NETBLK-PBI-NET-5) PBI-NET-5 209.232.0.0 - 209.233.255.255 Donovan Williams (NETBLK-PBI-CUSTNET-6607) PBI-CUSTNET-6607 209.233.142.16 - 209.233.142.23 > @ the bottom of the nslookup entry - as follows: > Name adsl-209-233-142-18-dsl.lsan03.pacbell.netNow, what exactly is the relationship between this entry (The dsl line @ pacbell) to that of my dial-up connection through US Worst?If 209.233.142.18 is the IP address that showed up in your logs, then that's the address the packets were launched from. Maybe you've got some extraneous nameserver information from UW - though as they're not authoritative for the domains in question, or maybe you're misinterpreting the data. FWIW, ns1.pbi.net and ns2.pbi.net show the same address, that's a no-no.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Paul, pardon my ignorance, but why is this a no-no. Wouldn't you want any authoritative sources to show the same address for the same location? Maybe I'm just missing somethin... /Aaron
Current thread:
- a fun new tool from us... Marcus J. Ranum (Apr 08)
- Re: a fun new tool from us... C. Harald Koch (Apr 10)
- Re: a fun new tool from us... Jonathan Rozes (Apr 14)
- Message not available
- Re: a fun new tool from us... Christoph Schneeberger (Apr 15)
- Re: a fun new tool from us... C. Harald Koch (Apr 10)
- Re: Port 5767 mht (Apr 14)
- "Re: a fun new tool from us... & 'Today's occurances' " Philip S Holt, Security Engineer / Network Engineer (Apr 28)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Paul D. Robertson (Apr 28)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Kaptain (Apr 29)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Paul D. Robertson (Apr 29)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " pmsac (Apr 29)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " carson (Apr 30)
- "Who else picked this one up?" Philip S Holt, Security Engineer / Network Engineer (Apr 30)
- Re: "Who else picked this one up?" Marcus J. Ranum (Apr 30)
- BO, netbus and so on... Marcelo M. Sosa Lugones (Apr 30)
- Re: "Who else picked this one up?" Paul D. Robertson (Apr 30)
- Re: "Who else picked this one up?" Marcus J. Ranum (Apr 30)
- Re: "Who else picked this one up?" Paul D. Robertson (Apr 30)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Paul D. Robertson (Apr 28)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Tin Le (Apr 30)