Security Incidents mailing list archives

Re: web related oddity

From: don () MAINFRAME DGRC CRC CA (Donald McLachlan)
Date: Wed, 8 Mar 2000 13:59:39 -0500

From: Ryan Russell <ryan () SECURITYFOCUS COM>

On Sat, 4 Mar 2000, Richard Bejtlich wrote:

Hi Don,

Assuming the initial TTL for the 24 Feb activity was 255:

255 - 20 (hops) = 235

Assuming the initial TTL for the 29 Feb activity was 128:

128 - 20 (hops) = 108

The questions is, why was 255 initially set, then later 128?
As I understand it, initial TTL is set by the source host,
and should only
be decremented by routers, not "recalculated."  Is this
everyone's
understanding as well?


Yup.  Of course, it is adjustable:

http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LNG=ENG&SA=ALLKB&FR=0
(Windows example)

I don't know why someone would change it on purpose, and I'm not aware of
anything that will change it automatically on one's WIndows box.  Perhaps
he switched OSes?  A quick test shows NT server 4.0, Win98 and Redhat 6.0
all default to 128.

                                      Ryan


The world is not Windows-only.  With ndd on Solaris it can be changed on the
fly.

I won't reproduce it here, but http://www.map.ethz.ch/ftp-probleme.htm
shows default TTL values of 30, 32, 60, 64, 128, and 255 for TCP, and
default values of 30, 60, 64, 128 and 255 for different O/S's.

Don

Current thread:

Re: web related oddity, (continued)
- Re: web related oddity Richard Bejtlich (Mar 04)
  - Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
    - Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
    - Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
  - Re: web related oddity Ryan Russell (Mar 08)
    - Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
  - Re: web related oddity Matthew S. Hallacy (Mar 08)
    - Re: web related oddity Bill Pennington (Mar 08)
    - ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 08)