Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Traces

From: Fernando Gont <fernando () gont com ar>
Date: Tue, 06 Jan 2004 10:09:55 -0300
At 01:16 03/01/2004 -0600, Jimi Thompson wrote:


I see a couple of problems with this idea of tracking people via "hops".


Yes, of course there are.
I just pointed out to the original poster that he could use TTL triangulation to infer which router the attacker is attached to. 
Whether this method may be uselful or not, depends on the scenario.
One, you have made the assumption that the traffic is traveling the same path each time. Thanks to OSPF, it the attacker has managed to saturate one network segment with his attack, he'll get his traffic rerouted to a less congested segment.
If he has *intentionally* done this, then he probably is randomizing the TTL, anyway.
will have a totally different TTL from the first two. Third, you have also assumed that both of the people under attack have the same ISP as well as being physically attached to the same gear at that ISP. If they aren't attached to the same gear, then you really don't get anywhere by making the assumption that the two TTL's from the separate locations bear much relation. 

Why do you think so?
Physically locating people via "hops" isn't a very viable method. While 8 hops on a corporate network might be manageable, 8 hops on the the internet is nearly literally 1/2 the planet. 8 hops on a corporate network is manageable since all of the possible hops (and their physical locations) are known quantities, unlike the internet where nodes can attach or detach at well. Furthermore, most older TCP stacks have an absolute maximum TTL of 20 hard coded in. That's 20 hops from anywhere on the planet to the core DNS.
Sorry, I did not understand that part of "That's 20 hops from anywhere on the planet to the core DNS". 

Best Regards,


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: