From owner-freebsd-net@freebsd.org Wed Mar 21 23:30:53 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6149F4DE9C for ; Wed, 21 Mar 2018 23:30:53 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 5BD3F6ED3C for ; Wed, 21 Mar 2018 23:30:52 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id EB4563AEF2 for ; Wed, 21 Mar 2018 16:30:51 -0700 (PDT) From: "Ronald F. Guilmette" To: FreeBSD Net Subject: Re: Same host or different? How can you tell "over the wire"? In-Reply-To: <5AB2D11A.6060605@grosbein.net> Date: Wed, 21 Mar 2018 16:30:51 -0700 Message-ID: <5700.1521675051@segfault.tristatelogic.com> X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2018 23:30:53 -0000 In message <5AB2D11A.6060605@grosbein.net>, Eugene Grosbein wrote: >If they respond truly identically, there are no reasons to treat them like >distinct hosts >despite of different IP addresses. Well, for my purposes, it would be inapporpriate to make any such leap of faith. If address A is somehow established to be under the control of a given Bad Actor, then even if address A' is seen to yield essentially identical results at the level of the application layer, this is most certainly -not- an adequate justification for anyone (e.g. me, or anyone else for that matter) to affirmatively assert that A' is under the control of the exact same Bad Actor. Individual IPv4 addresses may often exhibit an identical set of open ports. And the responses provided when sending data to those ports may be "generic" and thus may be actually or virtually identical. This alone is not nearly enough to assert that A' is under the control of the exact same Bad Actor who is in control of A. >And if you have such reason despite they respond truly identically, >then such a reason steams from matters other than their response on requests >to open ports. >In this case you should differentiate them by other means too, not by open >port's responses. Yes... by other means -also-, e.g. DNS. Assume that this has already been done. Assume that two different (and somehow related) FQDNs point to two different IPv4 addreses, A and A'. As we all know, any fool on the Internet can point any FQDN for which he controls the DNS to any bloody address he wants. But any such "pointing", standing alone and by itself, does not -prove- a damn thing about the pointed-at addresses, or about who is -currently- controlling them. (I wish that I had a dollar for every FQDN I had ever come across that resolved to either 127/8 or 10/8, or that pointed to an address that is not currently routed, and which perhaps never has been.) If other data persuasively indicates that address A is under the control of a Bad Actor, and if there appears to be some connection between A and A' (such as some sort of association indicated by the DNS) then if there were a way to also establish that A and A' are both being routed to a single machine, then it could be reliably and persuasively asserted, without fear of contradiction, that A' is also under the control of the same Bad Actor. I would like to be able to make such logical inferences and assertions, which is what prompted my question.