Penetration Testing mailing list archives
Re: Traceroute question
From: Rob Sherwood <capveg () cs umd edu>
Date: Thu, 28 Dec 2006 04:40:48 -0500
On Wed, Dec 27, 2006 at 05:36:58PM -0800, Becky Nelson wrote:
I am running a traceroute and have two hops that report the same address. Could someone please explain what would cause this? I suspect that this is some type of firewall?
There are a number of things that can cause this, but the most common is a buggy IP implementation on the first router, which it forwards packets with a ttl=0. http://www.freesoft.org/CIE/Topics/54.htm [snip] Buggy TCP/IP implementations Traceroute depends on a rather obscure feature that often doesn't work correctly. Some of the problems people have found: code that fails to decrement TTL, code that incorrectly forwards packets with zero TTL, code that does not generate ICMP Timeouts, and code that sends ICMPs with the same TTL as the original packet. This last problem, of course, results in our ICMP Timeouts being sent with zero TTL - guaranteed not to make it back to us.
Current thread:
- Traceroute question Becky Nelson (Dec 27)
- Re: Traceroute question Marcelo Caceres (Dec 28)
- Re: Traceroute question sami ghourabi (Dec 28)
- RE: Traceroute question Tal Argoni (Dec 28)
- Re: Traceroute question Rob Sherwood (Dec 28)
- RE Traceroute question Francois Labreque (Dec 28)
- Re: RE Traceroute question Datta Vaidya (Dec 29)
- re: Traceroute question Robert MacDonald (Dec 28)
- Re: Traceroute question Cedric Blancher (Dec 29)
- <Possible follow-ups>
- RE: Traceroute question Omar Salvador Alcalá Ruiz (Dec 29)