Re: hiding routers

[Sebastian Krahmer <krahmer () suse de>]

On Wed, 18 Apr 2007, Kristian Hermansen wrote:

Hi,

All better firewalling equipment offers a "stealth-routing" feature;
patches also exist for the Linux kernel. They can be detected using
DF-bit and certain other fields within the IP hdr, depending on
implementation and setup. Not decrementing TTL also does not
mean that it actually forwards packets with TTL 0.

Sebastian

> I brought this question up on another mailing list, but didn't get any
> good answers...
>
> How common is it that a router does not decrement the TTL of packets,
> such that it is unable to be identified using traceroute?  Choosing
> not to decrement the TTL causes the next router to appear as the hop,
> but the current router to remain hidden.  How does one commonly
> identify such hidden routers in an automated fashion?  And is it
> policy for any organizations to actually do this, or only with certain
> packet types?
>
> The responses I got were along the lines of "don't do that, it breaks
> tcp/ip and error conditions".  However, I am still interested in how
> likely an organization is to try something like this for both
> legitimate and illegitimate purposes.

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/