AT&T/@Home has standardized on using DHCP for end-user workstation configuration. This configuration is done via the standard DHCP implementation, but also is configured to send a string to the DHCP server with the "hostname" of the client. This hostname is adminstratively defined by AT&T and is a unique customer number. An example is... cb666699-a.anytwn.il.home.com Where the customer ID is cb666699-a in the subdomain of anytwn.il What frightens me is that no PTR records are configured except for this dynamic method. By scanning for PTR records, it is easy to determine active IP addresses and focus attack efforts on those IPs only, speeding up possible intrustions (imagine how much quicker it is if only 20,000 hosts are listening on a 24/8 subnet!) This implementation, while not a true "vulnerability", is not quite a "Best Practice". -#0
