Security Basics mailing list archives
RE: Traces
From: Fernando Gont <fernando () gont com ar>
Date: Wed, 31 Dec 2003 17:59:41 -0300
At 12:18 31/12/2003 -0800, Shawn Jackson wrote:
Eh' kinda. The TTL is decremented when the packet travels over a router. If they don't set the TTL to a random number you know, "hey he's eight hops away", but that's it. In a confined corporate network that might work better, but on a network as dynamic as the internet, not all paths have the same TTL so it's almost worthless, IMHO.
What do you mean by "not all paths have the same TTL"?If the TTL has not been intentionaly set to some random value, even when routes may be change, you can still say "it's X hops away".
So the dynamic nature of routes doesn't make this technique useless.Furthermore, if somehow you can correlate an attack to your site with any other attack to some other sites, you will have a better idea of where the attacker is.
Of course, this will work if and only if the TTL field is not set to a random value.
-- Fernando Gont e-mail: fernando () gont com ar || fgont () acm org --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Traces Fernando Gont (Jan 02)
- <Possible follow-ups>
- Re: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
- RE: Traces Fernando Gont (Jan 02)
- Re: Traces Jimi Thompson (Jan 05)
- Re: Traces Meritt James (Jan 05)
- Re: Traces Fernando Gont (Jan 06)
- RE: Traces Fernando Gont (Jan 02)
- RE: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
- RE: Traces Meidinger Chris (Jan 05)
- RE: Traces Fernando Gont (Jan 06)
- RE: Traces Shawn Jackson (Jan 05)
- Re: Traces Meritt James (Jan 05)
- RE: Traces Fernando Gont (Jan 06)