dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
9

Zupe
MVM
join:2001-11-29
New York, NY

Zupe to Steve

MVM

to Steve

Re: Analysis of Backstealth technology

Steve,

First let me say thank you for all of your hard work on this, it's greatly appreciated.

I have a very simple question in connection to this and the earlier Kerio rule Gwion had proposed:

The actual http connection in the backdll.dll file, is it coded as a request to a domain name, i.e. www.xyz.com, or as an ip address? The reason this would make a difference is that it appears that the block rule Gwion suggested is actually blocking a call to DNS to resolve a domain name which causes it to fail, rather than blocking an actual http connection. If this is true, it would appear that the rule would be ineffective if an IP address had instead been used. I was just hoping to confirm this.

Thanks again.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by Zupe:
The actual http connection in the backdll.dll file, is it coded as a request to a domain name, i.e. www.xyz.com, or as an ip address?
It's a request done by name: "www.pc-facile.com", and this does in fact use DNS for the lookup. Seems to me that coding an IP address (for testing) would be a fair way to give it a try.

I'm getting up the nerve to dive into the personal firewall world here at home to test this, but figure I'll be rebooting all day :-(

Steve
Steve

Steve to Zupe

to Zupe
said by Zupe:
The actual http connection in the backdll.dll file, is it coded as a request to a domain name, i.e. www.xyz.com, or as an ip address?
This particular demonstration program uses a hostname that requires DNS to resolve, but I've given Gwion a version of my backstealth toolkit that permits testing with just an IP address: it remains to be seen how the various firewalls will handle this.

Steve