Security Incidents mailing list archives
Re: web related oddity
From: don () MAINFRAME DGRC CRC CA (Donald McLachlan)
Date: Tue, 7 Mar 2000 09:48:12 -0500
Hello Richard,
Reply-To: Richard Bejtlich <bejtlich () TEXAS NET> Hi Don, Assuming the initial TTL for the 24 Feb activity was 255: 255 - 20 (hops) = 235 Assuming the initial TTL for the 29 Feb activity was 128: 128 - 20 (hops) = 108 The questions is, why was 255 initially set, then later 128?
I made a second post about this later in the day on Feb 29, but I don't remember seeing it on the list. Anyway, a couple hours later the TTL was back to 235. Sure looks like TTL trickery to me, or maybe a dual boot host switching O/S's?
As I understand it, initial TTL is set by the source host, and should only be decremented by routers, not "recalculated." Is this everyone's understanding as well?
Yes, but ... - crafted packets can have any TTL (my first guess). - ndd can be used to change the TTL. But since I was not sending the initial packets the resets in themselves are interesting. ... Maybe side effect of a DoS spoofing my address ... but frequency of resets was (~1/hour), and only occured after I visited some European web sites.
Incidentally, I observed similar activity from the source host, although the TTLs I observed were in the 40's range. This would lead me to believe the initial TTL may have been 64. Richard
FYI, I just tried to ping/telnet to 194.182.239.100 and got no replies. Maybe someone complained and the system has been shut down? ... Or it might just be a dual boot laptop that is not always home, or a dual boot PC sometimes turned off, or a host that does IP stack twiddling to mask the O/S? Lots of ideas, few answers. Don
Current thread:
- Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
- Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: web related oddity Ryan Russell (Mar 08)
- Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
- Re: web related oddity Matthew S. Hallacy (Mar 08)
- Re: web related oddity Bill Pennington (Mar 08)
- ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Matthew S. Hallacy (Mar 08)