Security Incidents mailing list archives
Re: web related oddity
From: ryan () SECURITYFOCUS COM (Ryan Russell)
Date: Wed, 8 Mar 2000 09:23:07 -0800
On Sat, 4 Mar 2000, Richard Bejtlich wrote:
Hi Don, Assuming the initial TTL for the 24 Feb activity was 255: 255 - 20 (hops) = 235 Assuming the initial TTL for the 29 Feb activity was 128: 128 - 20 (hops) = 108 The questions is, why was 255 initially set, then later 128? As I understand it, initial TTL is set by the source host, and should only be decremented by routers, not "recalculated." Is this everyone's understanding as well?
Yup. Of course, it is adjustable: http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LNG=ENG&SA=ALLKB&FR=0 (Windows example) I don't know why someone would change it on purpose, and I'm not aware of anything that will change it automatically on one's WIndows box. Perhaps he switched OSes? A quick test shows NT server 4.0, Win98 and Redhat 6.0 all default to 128. Ryan
Current thread:
- Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
- Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: web related oddity Ryan Russell (Mar 08)
- Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
- Re: web related oddity Matthew S. Hallacy (Mar 08)
- Re: web related oddity Bill Pennington (Mar 08)
- ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Matthew S. Hallacy (Mar 08)