Security Basics mailing list archives
RE: Traces
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Mon, 5 Jan 2004 15:59:31 +0100
Coorelating TTL is how the hunt for timex.0 at sans was set up. It was unsuccesful. There is a great writeup in Stephen Northcutt's 'Network Intrusion Detection: An Analysts's Handbook' and i think there are (or were) materials at www.sans.org/y2k about their attempts to triangulate TTL. But back to the question at hand: Can i find an attacker based on TTL? (and secondly: even assuming it could work, what would it tell me?) Let's say, you have: 1) 10 friends (like any of us have that many ;), 2) a perfect map of the internet (ok, so you can freeze time too), 3) and you all have incoming ping floods from the same guy (you know this because the packet payloads are all the same) 4) from various spoofed IP's (like each others' IP's, so you can be sure they are spoofed), and you also have 5) reason to believe that the original TTL was a constant (say, for the sake of argument, one person is getting packets with a TTL of 254, even though this would mess up the rest of the argument. we we will also let this person be one hop from hundreds of routers) Using TTL and the perfect Internet map you can figure out a set of routers which are n hops away from you. For each friend that is getting the same stuff, he can map a subset of your router set that are routers n hops from you *and* m hops from him. For each additional friend, you get more accurate, (or your set of possible routers gets smaller) Thus: as your number of friends/co-victims approaches infinity, the number of possible routers approaches 1. So you can (theoretically) figure out which router he is behind. You would then need heavy cooperation from the operators of the router or from the ISP to which it belongs to find a person. By which point the script kiddy's mother has probably called him to dinner, and he's logged off anyway. This forces you to unfreeze time and let him eat dinner and come back to his computer, then log back into a different ISP... Given the vagaries of teh internet that shawn mentioned, any TTL-correlation approach would likely prove absolutely unpracticable. If someone else has a suggestion how it could work, by all means post it: it would be a great weapon against spoofing. Cheers, Chris -----Original Message----- From: Shawn Jackson [mailto:sjackson () horizonusa com] Sent: Thursday, January 01, 2004 1:06 AM To: Fernando Gont; Gerson Sampaio; security-basics () securityfocus com Subject: RE: Traces Okdokie. Let's say I am pinging anything.org and its 5 hops away. Let's also say that through a status route change (a BGP peer goes down, etc) I'm being router through a different backbone, now anything.org is 8 hops away due to that change. Great it's 8 hops away. Now, you have a DOS attack against two networks, your friends and yours. Your friend detects that the attacker is 12 hops away. You are suffering from the same attack and detect that it is 7 hops away. Let's also assume that we've stripped the dynamic properties of the Internet away and you know for a FACT that 11 hops away from him and 6 hops away from you is a SBC ATM Core. The last hop is unknown because you can't garner that information without, at least, a netblock. The ATM core can be connected to thousands of networks, using that information you can only have a meager guess at which backbone provider the attack is coming from. Now 20 hops away from me could be almost anywhere in the western half of the world thanks to AT&T. The dynamic state of routes is what complicates this technique. 12 hops for me can be 30 hops to you. The all of a sudden it's 30 hops for me and 33 hops for you. Using the above example say your ISP had to route though its backup Tier 1 connection due to traffic load which leaves the backbone network in another state, now instead of 7 hops you're up to 9. TTL is not like miles it can't be efficiently measured. Routers can be hundreds of miles apart, or a few feet. I can reach the Easter half of the US in less hops then it takes me to get to Mexico, does that means its closer, nope. Could I take a look at a TTL and say what state it's in, nope. Can you give me an example of it in action? How would you use it to trace the source of an attack where the originating IP Address has been faked? IMHO I still think is useless, but that's because I can't see it working or giving me useful information. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Fernando Gont [mailto:fernando () gont com ar] Sent: Wednesday, December 31, 2003 1:00 PM To: Shawn Jackson; Gerson Sampaio; security-basics () securityfocus com Subject: RE: Traces At 12:18 31/12/2003 -0800, Shawn Jackson wrote:
Eh' kinda. The TTL is decremented when the packet travels over
a
router. If they don't set the TTL to a random number you know, "hey
he's
eight hops away", but that's it. In a confined corporate network that might work better, but on a network as dynamic as the internet, not all paths have the same TTL so it's almost worthless, IMHO.
What do you mean by "not all paths have the same TTL"? If the TTL has not been intentionaly set to some random value, even when routes may be change, you can still say "it's X hops away". So the dynamic nature of routes doesn't make this technique useless. Furthermore, if somehow you can correlate an attack to your site with any other attack to some other sites, you will have a better idea of where the attacker is. Of course, this will work if and only if the TTL field is not set to a random value. -- Fernando Gont e-mail: fernando () gont com ar || fgont () acm org --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Traces Fernando Gont (Jan 02)
- <Possible follow-ups>
- Re: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
- RE: Traces Fernando Gont (Jan 02)
- Re: Traces Jimi Thompson (Jan 05)
- Re: Traces Meritt James (Jan 05)
- Re: Traces Fernando Gont (Jan 06)
- RE: Traces Fernando Gont (Jan 02)
- RE: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
- RE: Traces Meidinger Chris (Jan 05)
- RE: Traces Fernando Gont (Jan 06)
- RE: Traces Shawn Jackson (Jan 05)
- Re: Traces Meritt James (Jan 05)
- RE: Traces Fernando Gont (Jan 06)
- RE: Traces Shawn Jackson (Jan 06)
- RE: Traces Fernando Gont (Jan 19)
- RE: Traces Shawn Jackson (Jan 19)