1995-08-08 - Re: Two-faced Security Problem? Dammit Janus?

Header Data

From: “Chris Brenton” <Chris.Brenton@newsedge.com>
To: <cypherpunks@toad.com>
Message Hash: 519c466392ca9ea2c9b74541d5361acb3699673eec88cdbd85c6a0be8d12c0f7
Message ID: <9508080837.AA16436@herne.newsedge.com>
Reply To: N/A
UTC Datetime: 1995-08-08 12:34:34 UTC
Raw Date: Tue, 8 Aug 95 05:34:34 PDT

Raw message

From: "Chris Brenton" <Chris.Brenton@newsedge.com>
Date: Tue, 8 Aug 95 05:34:34 PDT
To: <cypherpunks@toad.com>
Subject: Re: Two-faced Security Problem? Dammit Janus?
Message-ID: <9508080837.AA16436@herne.newsedge.com>
MIME-Version: 1.0
Content-Type: text/plain


In reply to:
>
>
>After poking around for a week, I discovered that my home machine,
>newray.digex.net, is listed in the Digex's nameservers TWICE! Once with
the
>IP address that my home machine is waiting for (199.125.128.5) and once
>with some other IP address in the digex space (164.109.211.61). If you do
>an
nslookup on the name, you get both addresses. I believe that the
>technically correct thing for someone to do is to choose one of the
>addresses at random to distribute the load between two machines pretending
>to
be one. This explains the connection failures that happened half of the
>time.
>
>This has led me to wonder, though, whether this is some sort of
security
>breech. For instance, could there be someone out there mascarading as
me?
>Normally I run Eudora, Netscape, Telnet and other outward bound
>applications. It was almost a fluke that I noticed that there were two
>entries.
>

More likely this is a matter of someone assigning a host name to a system
without realizing it has already been taken. Yes it can be a security breech but
as you experienced the connection is broken easily. If someone wanted to grab
your identity they would more likely busy your system (by flooding you with ping
requests or something similar) and then grab you IP address.

>Does some software need to find its IP address in a DNS table? For
>instance, does Eudora need to look up  164.109.211.61 to find
>"newray.digex.net"? 

The lookup typically goes the other way around, from host--->IP address.
Dependant on the cache hits either address could be returned.







Thread