Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Traces

From: Jimi Thompson <jimit () myrealbox com>
Date: Sat, 03 Jan 2004 01:16:38 -0600
All,
I see a couple of problems with this idea of tracking people via "hops". One, you have made the assumption that the traffic is traveling the same path each time. Thanks to OSPF, it the attacker has managed to saturate one network segment with his attack, he'll get his traffic rerouted to a less congested segment. This will change the TTL for seemingly random packets. Additionally, if the attacker has saturated one segment with his attack and commences a second attack, the traffic for the second attack is likely be rerouted to a third patch and will have a totally different TTL from the first two. Third, you have also assumed that both of the people under attack have the same ISP as well as being physically attached to the same gear at that ISP. If they aren't attached to the same gear, then you really don't get anywhere by making the assumption that the two TTL's from the separate locations bear much relation.
Physically locating people via "hops" isn't a very viable method. While 8 hops on a corporate network might be manageable, 8 hops on the the internet is nearly literally 1/2 the planet. 8 hops on a corporate network is manageable since all of the possible hops (and their physical locations) are known quantities, unlike the internet where nodes can attach or detach at well. Furthermore, most older TCP stacks have an absolute maximum TTL of 20 hard coded in. That's 20 hops from anywhere on the planet to the core DNS. Given the idea that the planet should be covered in 20 hops, 8 hops could be the other side of the planet. As an example, I started counting hops from my PC to several places around the world. Not counting the 4 hops that it takes to get off my local network (since most home networks won't have 4 hops to the outside), it's only 8 hops from here to Los Angeles and only 10 to China. It's 9 to Moscow, 8 to Morocco, 5 to Brazil, and 12 to Kenya. Your mileage may vary, but I strongly encourage you to test it.
Your best hope is finding out if your ISP can determine where the traffic is coming from and back track it that way. My guess is that you'll find that at least one of the ISP's along the way hasn't kept the required records so you'll likely be unable to continue your quest. If your guys is 8 hops out, he could be in Morocco, on a private network in Brazil or in LA. Either way, that's not a very small area to cover. 

2 cents,

Jimi

Fernando Gont wrote:


At 12:18 31/12/2003 -0800, Shawn Jackson wrote:


        Eh' kinda. The TTL is decremented when the packet travels over a
router. If they don't set the TTL to a random number you know, "hey he's
eight hops away", but that's it. In a confined corporate network that
might work better, but on a network as dynamic as the internet, not all
paths have the same TTL so it's almost worthless, IMHO.



What do you mean by "not all paths have the same TTL"?
If the TTL has not been intentionaly set to some random value, even when routes may be change, you can still say "it's X hops away". 

So the dynamic nature of routes doesn't make this technique useless.
Furthermore, if somehow you can correlate an attack to your site with any other attack to some other sites, you will have a better idea of where the attacker is.
Of course, this will work if and only if the TTL field is not set to a random value. 


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- 






---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: