Security Incidents mailing list archives

Re: web related oddity

From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Tue, 29 Feb 2000 12:45:20 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- What catches my eye is the TTL has changed dramatically
from Feb 24 to
  Feb 29.  Either the O/S of CCC.CCC.CCC.100 has changed, or
there is initial
  TTL trickery going on.


This is probably because the route the packets are taking has
changed.  Since the TTL is decremented for each hop, the changing of
routes can affect this - both local network and backbone network
changes.  Your not getting the initial TTL, your getting the TTL of
the packet after it has been routed over 20 routers (assuminig
initial TTL was 255).

Oliver Friedrichs
Product Marketing Manager,
securityfocus.com
(650) 655-2000 ext. 31

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOLwuZMm4FXxxREdXEQJ+IACfXRGkboVCh5BnHaiU2cOIN9iSKOAAnjHC
6ApsqBe5FxOAuwFU6RF+uP9b
=HoDp
-----END PGP SIGNATURE-----

Current thread:

Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
  - Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
    - Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
    - Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
  - Re: web related oddity Ryan Russell (Mar 08)
    - Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
  - Re: web related oddity Matthew S. Hallacy (Mar 08)
    - Re: web related oddity Bill Pennington (Mar 08)
    - ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)

(Thread continues...)