On Thu, 31 May 2007, Andrew Sullivan wrote: > > The popular TCP Wrapper package was originally conceived to discover > the network location of an attacker [Venema1992]. It used the reverse > mapping of a connecting host to provide the hostname of that host in > its output.
No. Early TCP wrappers just provided logs of activity, and then later to provide access control. "This paper presents a simple tool to monitor and control incoming network traffic. [...] "Services such as finger do not require a password, and almost never keep a record of their use. That explains why all his fingering activity had remained unnoticed." Access control: "5. First extension: access control. [...] /etc/hosts.deny: ALL: terminus.lcs.mit.edu hilltop.rutgers.edu monk.rutgers.edu ALL: comserv.princeton.edu lewis-sri-gw.army.mil ALL: ruut.cc.ruu.nl 131.211.112.44 ALL: tip-gsbi.stanford.edu ALL: tip-quada.stanford.edu ALL: s101-x25.stanford.edu ALL: tip-cdr.stanford.edu ALL: tip-cromemaa.stanford.edu ALL: tip-cromembb.stanford.edu ALL: tip-forsythe.stanford.edu" TCP Wrappers did do access control based on reverse DNS, but that was soon discovered to be insecure. I note that the original 1992 didn't know that: "o Protection against hosts that pretend to have someone elses name (name server spoofing). This is important for network services such as rsh and rlogin whose authentication scheme is based on host names. When a host name or address mismatch is detected the connec- tion is dropped even before the access-control files are consulted." The TCP wrapper program did not succeed at stopping nameserver spoofing, nor could it. The author (Venema) just didn't know enough about DNS to know that. This is the origin of the reverse DNS "security" myth. Years and much effort has been expended to dispel the myth, but true believers are hard to dissuade. That is a monument to something, but I don't know what. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www1.ietf.org/mailman/listinfo/dnsop