RE: Traces

[Fernando Gont <fernando () gont com ar>]

At 16:05 31/12/2003 -0800, Shawn Jackson wrote:

>         Okdokie. Let's say I am pinging anything.org and its 5 hops
> away. Let's also say that through a status route change (a BGP peer goes
> down, etc) I'm being router through a different backbone, now
> anything.org is 8 hops away due to that change. Great it's 8 hops away.

Note that you only need that packets take the same routes for some stable 
period of time. A BGP peer going down is the exception, not the rule.


> you can't garner that information without, at least, a netblock. The ATM
> core can be connected to thousands of networks, using that information
> you can only have a meager guess at which backbone provider the attack
> is coming from.

As I said in my last e-mail, the more data you have, the more accurate your 
guess may be. (See my example bellow).



>         TTL is not like miles it can't be efficiently measured. Routers
> can be hundreds of miles apart, or a few feet. I can reach the Easter
> half of the US in less hops then it takes me to get to Mexico, does that
> means its closer, nope. Could I take a look at a TTL and say what state
> it's in, nope.

And what does this have to do with our discussion????
You don't need to know where the attacker *physically* is. You just need to 
know where he is, but from a "networking" point of view. You need to detect 
which router he is attached to.


>         Can you give me an example of it in action? How would you use it
> to trace the source of an attack where the originating IP Address has
> been faked? IMHO I still think is useless, but that's because I can't
> see it working or giving me useful information.

Here's an example. I've attached the file trace.gif, which contains the 
network topology. All black circles are routers. All blue circles are 
attacked hosts. The red circle is the attacking host (which you'll infer is 
connected there, as you'll see in the following explanation).

A sees the attacker is three hops away.
B sees the attacker is three hops away.
C sees the attacker is three hops away.
E sees the attacker is four hops away.

With only this information, there are two possible routers to which the 
attacker could be attached: the one to which it actually is, and the one 
bellow that router.
(That's the only two routers for which the information we have can be true).

Fortunately, we have another friend (namely D), that is being attacked, and
D sees the attacker is two hops away.

So with this additional information, there's no doubt which is the router 
the attacker is attached to. (The attacker is indicated in the diagram by 
means of a red circle).

Depending on how much information you have, your "guess" may be as accurate 
as this one, or your guess may give you some "options" (as when we did not 
consider the data our friend D gave us).

Of course, you certainly may find scenarios that make our guess more 
difficult, or less accurate (for example, think about a router performing 
load sharing in a round-robin fashion). Or in the worst case, the attacker 
might be setting the original TTL to random values (I'm aware there are 
attacking tools that do this).

But the point is that, as you probably see, "TTL triangulation" may be useful.

--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org


---------------------------------------------------------------------------
----------------------------------------------------------------------------