[Emerging-Sigs] RBN-Blackhole evasion tactic
Jack Pepper
pepperjack at afferentsecurity.com
Thu Feb 14 15:17:46 EST 2008
Quoting Jim McQuaid <jim.mcquaid at gmail.com>:
> Last weekend I found several new RBN domains and IP ranges. They have
> adopted a new tactic, which is to use an "*" as the subdomain's name.
> When one tries to use an asterisk as a subdomain in Smoothwall's
Do we need to watch for embedded asterisks in the subdomains? Like
"abc*def.something.com" ? Or will it always be an asterisk by itself?
Does the asterisk always have to be in the first field or do we need
to watch for things like "www.*.something.com" ?
Do we care wether it's A records, or PTR replies, or MX records?
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list