Re: Odd cableone traceroute with 0.0.0.0 in path

[Mark Smith <nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org>]

On Thu, 28 Oct 2010 12:55:56 -0600
Brielle Bruns <bruns () 2mbit com> wrote:

> Okay, so this has my head hurting a bit just trying to figure out just 
> how this is possible and what kind of equipment would pull this stunt.

My initial guess was that somebody put "0.0.0.0" text as the DNS PTR RR
value for that hop, however that isn't the case as both the name and
the IP address of the hop are 0.0.0.0.

My guess is that the ICMP error that traceroute uses to detect hops is
being sourced from 0.0.0.0 for some reason. Your cable modem wouldn't
be performing any RPF on incoming traffic, so there is nothing to
filter out 0.0.0.0 as an invalid source address (or it may actually be
valid for these ICMP errors - it's the "unspecified" address.)

> Tracing from here (cableone cable modem) to the outside world, I end up 
> with the following at the beginning of my traceroute.
>
>
>   1  192.168.1.1 (192.168.1.1)  2.759 ms  0.803 ms  0.769 ms
>   2  0.0.0.0 (0.0.0.0)  10.462 ms  9.543 ms  8.043 ms
>   3  192.168.32.65 (192.168.32.65)  9.984 ms  9.654 ms  9.570 ms
>   4  te-4-4.car2.seattle1.level3.net (4.53.146.117)  25.960 ms  21.798 
> ms  24.144 ms
> ....  etc
>
> 0.0.0.0 as one of the hops.    So, I pulled out LFT to make sure 
> traceroute isn't going nuts.
>
> Layer Four Traceroute (LFT) version 3.1
> Using device en1, 192.168.1.101:53
> TTL LFT trace to 207.70.17.213:80/tcp
>   1  192.168.1.1 0.9/0.9ms
>   2 /9.8/10.3ms
>   3  192.168.32.65 9.7/8.3ms
>   4  10.255.255.1 9.1/8.4ms
>   5  te-4-4.car2.seattle1.level3.net (4.53.146.117) 29.0/20.2ms
>
> Fun, no entry for hop 2, plus there's an extra hop at #4.  Lets use verbose.
>
> Layer Four Traceroute (LFT) version 3.1 ... (verbosity level 2)
> Using device en1, 192.168.1.101:53
> SENT TCP  TTL=1 SEQ=648736948 FLAGS=0x2 ( SYN )
> SENT TCP  TTL=2 SEQ=648736949 FLAGS=0x2 ( SYN )
> RCVD ICMP SEQ=648736948 SRC=192.168.1.1 PTTL=1 PSEQ=648736948
> SENT TCP  TTL=3 SEQ=648736950 FLAGS=0x2 ( SYN )
> SENT TCP  TTL=4 SEQ=648736951 FLAGS=0x2 ( SYN )
> SENT TCP  TTL=5 SEQ=648736952 FLAGS=0x2 ( SYN )
> SENT TCP  TTL=6 SEQ=648736953 FLAGS=0x2 ( SYN )
> RCVD ICMP SEQ=648736949 SRC=0.0.0.0 PTTL=2 PSEQ=648736949
> SENT TCP  TTL=7 SEQ=648736954 FLAGS=0x2 ( SYN )
> RCVD ICMP SEQ=648736950 SRC=192.168.32.65 PTTL=3 PSEQ=648736950
> RCVD ICMP SEQ=648736951 SRC=10.255.255.1 PTTL=4 PSEQ=648736951
> RCVD ICMP SEQ=648736953 SRC=4.68.105.30 PTTL=6 PSEQ=648736953
>
>
> Am I going nuts, or is something really messed up somewhere upstream 
> from the cable modem?  To quote someone from IRC who's just as confused, 
> "the null route just talked to me".
>
> -- 
> Brielle Bruns
> The Summit Open Source Development Group
> http://www.sosdg.org    /     http://www.ahbl.org