mod-security-users Digest, Vol 68, Issue 16

chris derham | 27 Jan 23:33

Re: mod-security-users Digest, Vol 68, Issue 16

>>> THAT is basically the big question we want to find out - IF IT IS OWNED BY Google.
>>> That cannot reliably be done via reverse-DNS (as you stated above).
>>>
>>> So, what we would need to do now, would be to do a reverse lookup and a
>>> forward lookup on the result, asserting that the forward lookup points to
>>> the original IP address:
>>>
>>> EVIL-IP --reverse-lookup--> IP.crawl.google.com
>>> IP.crawl.google.com ----dns-lookup----> 1.2.3.4
>>>
>>> 1.2.3.4 =? EVIL-IP
>>>
>>> Thus, to mask your evil IP by your devilish DNS, you'd also have to have
>>> some control over the forward DNS resolver.
>>>
>>> Still doable, but requires more effort.
>>> Does that sound better to you
>>
>> in theory yes, practically what you try to do is not possible
>>
>> it is dangerous, there is no RFC saying A-Record/PTR needs to match
>> and there will never be because it can not match in all cases
>> like a round-robin record below
>>
>> [harry <at> srv-rhsoft:~]$ nslookup www.google.com
>> Server: 127.0.0.1
>> Address: 127.0.0.1#53
>>
>> Non-authoritative answer:
>> www.google.com canonical name = www.l.google.com.
>> Name: www.l.google.com
>> Address: 173.194.69.106
>> Name: www.l.google.com
>> Address: 173.194.69.147
>> Name: www.l.google.com
>> Address: 173.194.69.99
>> Name: www.l.google.com
>> Address: 173.194.69.103
>> Name: www.l.google.com
>> Address: 173.194.69.104
>> Name: www.l.google.com
>> Address: 173.194.69.105
>>
>> [harry <at> srv-rhsoft:~]$ nslookup 173.194.69.106
>> Server: 127.0.0.1
>> Address: 127.0.0.1#53
>>
>> Non-authoritative answer:
>> 106.69.194.173.in-addr.arpa name = bk-in-f106.1e100.net.

So in an effort to help the discussion, here is the original link I referred to where a google bot engineer says this is the way to go http://googlewebmastercentral.blogspot.com/2006/09/how-to-verify-googlebot.html. In addition for one of the google bot attempts to access our site, it came from IP 66.249.67.172. Performing the forward/reverse lookup gives the expected results

C:\>nslookup 66.249.67.172
Server: UnKnown
Address: 192.168.2.1

Name: crawl-66-249-67-172.googlebot.com
Address: 66.249.67.172

C:\>nslookup crawl-66-249-67-172.googlebot.com
Server: UnKnown
Address: 192.168.2.1

Non-authoritative answer:
Name: crawl-66-249-67-172.googlebot.com
Address: 66.249.67.172

So while this may not work for round-robin servers, the google bots do not appear to be load balanced,

The only problem I see with Chris's approach, is that you would have to wait for google bots to be blocked before you could detect their ips, perform the reverse/forward lookups and then block them. Assuming google have a large pool of google bots, this might take some time before you could get the same bot back again and let them in. On the other hand, invoking this double dns lookup when someone presents a suitable user agent sounds like a likely candidate for denial of service.

So have I got the wrong end of the stick with this?

Thanks

Chris

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/