Full Disclosure mailing list archives
Re: hiding routers
From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 18 Apr 2007 12:00:22 +0200 (CEST)
On Wed, 18 Apr 2007, Kristian Hermansen wrote: Hi, All better firewalling equipment offers a "stealth-routing" feature; patches also exist for the Linux kernel. They can be detected using DF-bit and certain other fields within the IP hdr, depending on implementation and setup. Not decrementing TTL also does not mean that it actually forwards packets with TTL 0. Sebastian
I brought this question up on another mailing list, but didn't get any good answers... How common is it that a router does not decrement the TTL of packets, such that it is unable to be identified using traceroute? Choosing not to decrement the TTL causes the next router to appear as the hop, but the current router to remain hidden. How does one commonly identify such hidden routers in an automated fashion? And is it policy for any organizations to actually do this, or only with certain packet types? The responses I got were along the lines of "don't do that, it breaks tcp/ip and error conditions". However, I am still interested in how likely an organization is to try something like this for both legitimate and illegitimate purposes.
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- hiding routers Kristian Hermansen (Apr 18)
- Re: hiding routers Sebastian Krahmer (Apr 18)
- Re: hiding routers Felix Lindner (Apr 18)
- Re: hiding routers Maxime Ducharme (Apr 19)