Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP time exceed in-transit packets

From: chris.wilson () ESECURITYINC COM (Christopher Wilson)
Date: Sun, 2 Jan 2000 19:56:55 -0500

Um, no.  It's true that traceroute uses IP TTL timeouts to track the path of
a series of packets, but with a spoofed source, the person initiating the
series of packets never sees the replies, which would defeat the purpose if
it were a "traceroute-ish" utility.  Traceroute doesn't use a spoofed
source.

-Chris

Christopher Wilson
e-Security, Inc.
700 S. Babcock St., Suite 200
Melbourne, FL  32901
Email:  chris.wilson () esecurityinc com
Web:            http://www.esecurityinc.com/

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Alain Thivillon
Sent: Saturday, January 01, 2000 3:05 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: [INCIDENTS] ICMP time exceed in-transit packets

Chris Brenton <cbrenton () SOVER NET> écrivait (wrote) :


So the attacker transmits the above packet. While in transit, the TTL
drops to zero. The router receiving the TTL 0 packet realizes it can not
forward it and issues a time exceeded (ICMP type 11) packet back to the
spoofed source address. So what you are seeing in your logs is the error
code generated by the spoofed packets when the TTL expires.


Well, you are saying someone is tracerouting you. Congratulations :)

--
Unix is ending in 13897 days, 7 hours, 9 min, 55 sec : save your buffers
Previous By Date Next
Previous By Thread Next

Current thread: