[PLUG] A little worm sniffing

Stafford A. Rau srau at rauhaus.org
Sun Jun 22 00:39:01 UTC 2003


* Elliott Mitchell <ehem at m5p.com> [030621 23:34]:
 
> I'd say there is no need to notify no-ip.org though. Notice the IP
> address they're returning? 255.255.255.255 is the global broadcast IP
> address.

Yes, I'm well enough versed in ip fundamentals to know what an all-ones
broadcast is. However, returning 255.255.255.255 in the answer section
of a DNS reply is not the same thing as trying to send unicast (or
broadcast) traffic to that address.

No-ip.org is, now that I've taken a look, a dynamic dns registration
service. Say, for instance, that I had a host on a cable internet
service and had to get my ip via dhcp. However, suppose I wanted all my
buddies to be able to get to that host by name whenever it was up and
running. I could install the no-ip.org client on my host, and whenever
that host gets a dhcp-assigned address, the no-ip.org client then calls
up no-ip.org, does some sort of authentication (not address-based,
obviously), and tells no-ip.org to return my dhcp address as the reply
to dns queries for stafford-at-home.no-ip.org.

It may be that no-ip.org returns 255.255.255.255 for all hostnames that
they have registered but which they have not heard from the client with
a new address.

Regardless, whoever registered "fucktard" with them is using it as the
phone-home signal for their bit of irc remote control nastiness, and the
no-ip.org folks need to not accept new ip address client requests for
that hostname.

--Stafford




More information about the PLUG mailing list