Thursday, April 26, 2007

Mix and Match

An additional point worth mentioning regarding IP Address Obfuscation is that the techniques can be mixed and matched within the same IP address.
All/most of these formats should work in all browsers. Additionally, in dotted format, each octet can be of the different bases. For example, 207.0x8E.0203.235 is a valid (though unconventional) equivalent to the above addresses. (Wikipedia article on IPv4)
Spammers are actively using this technique; this URL arrived today in a Pump and Dump stock spam:

http://0x00000000000d8.00000000000323.0x000000000000000000000009e.124/

The link in the email refers to MoneyCentral.MSN.com, but actually redirects to a random .BIZ site.

The format of this URL is:
  1. 'Dotted Hex with leading zeroes' .
  2. 'Dotted Octal with leading zeroes' .
  3. 'Dotted Hex with leading zeroes' .
  4. 'Dotted Decimal'.
The address translates to 216.211.158.124 in dotted quad (decimal) format.
Posted by at

1 comment:

Anonymous said...

I don't believe it. A SANS course in Maine finally, and I can't go!
:(

June 18, 2007 at 10:55 AM

Post a Comment

Subscribe to: Post Comments (Atom)