Security Incidents mailing list archives

Re: web related oddity

From: ryan () SECURITYFOCUS COM (Ryan Russell)
Date: Wed, 8 Mar 2000 09:23:07 -0800


On Sat, 4 Mar 2000, Richard Bejtlich wrote:

Hi Don,

Assuming the initial TTL for the 24 Feb activity was 255:

255 - 20 (hops) = 235

Assuming the initial TTL for the 29 Feb activity was 128:

128 - 20 (hops) = 108

The questions is, why was 255 initially set, then later 128?
As I understand it, initial TTL is set by the source host,
and should only
be decremented by routers, not "recalculated."  Is this
everyone's
understanding as well?


Yup.  Of course, it is adjustable:

http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LNG=ENG&SA=ALLKB&FR=0
(Windows example)

I don't know why someone would change it on purpose, and I'm not aware of
anything that will change it automatically on one's WIndows box.  Perhaps
he switched OSes?  A quick test shows NT server 4.0, Win98 and Redhat 6.0
all default to 128.

                                        Ryan

Current thread:

Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
  - Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
    - Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
    - Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
  - Re: web related oddity Ryan Russell (Mar 08)
    - Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
  - Re: web related oddity Matthew S. Hallacy (Mar 08)
    - Re: web related oddity Bill Pennington (Mar 08)
    - ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 08)