Security Basics mailing list archives

RE: Traces

From: Fernando Gont <fernando () gont com ar>
Date: Wed, 31 Dec 2003 17:59:41 -0300

At 12:18 31/12/2003 -0800, Shawn Jackson wrote:

        Eh' kinda. The TTL is decremented when the packet travels over a
router. If they don't set the TTL to a random number you know, "hey he's
eight hops away", but that's it. In a confined corporate network that
might work better, but on a network as dynamic as the internet, not all
paths have the same TTL so it's almost worthless, IMHO.


What do you mean by "not all paths have the same TTL"?

If the TTL has not been intentionaly set to some random value, even whenroutes may be change, you can still say "it's X hops away".


So the dynamic nature of routes doesn't make this technique useless.

Furthermore, if somehow you can correlate an attack to your site with anyother attack to some other sites, you will have a better idea of where theattacker is.

Of course, this will work if and only if the TTL field is not set to arandom value.



--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Traces Fernando Gont (Jan 02)
- <Possible follow-ups>
- Re: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
  - RE: Traces Fernando Gont (Jan 02)
    - Re: Traces Jimi Thompson (Jan 05)
    - Re: Traces Meritt James (Jan 05)
    - Re: Traces Fernando Gont (Jan 06)
- RE: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
- RE: Traces Meidinger Chris (Jan 05)
  - RE: Traces Fernando Gont (Jan 06)
- RE: Traces Shawn Jackson (Jan 05)
  - Re: Traces Meritt James (Jan 05)
  - RE: Traces Fernando Gont (Jan 06)

(Thread continues...)