Re: IPv6 Hop Limit as feature in FPEngine

[David Fifield <david () bamsoftware com>]

On Tue, Feb 24, 2015 at 01:34:03PM +0100, Alexandru Geana wrote:
> > Are there any members of a class that appear not to belong
> > because of a different hoplimit?
>
> There are certain "anomalies" so to say. For example, the groups "VMware
> ESXi 5" and "OpenBSD 4.8" have one outlier each, which is not very bad I
> think. On the other hand, there are also groups such as "Linux 2.6.32 -
> 2.6.39" with hop limit values centered around 64 and 255 with the average
> around 157. It seems at some point during these two releases the default
> value was changed.

Hmm, yeah, something weird is going on. Take the first group, for
example. The first four samples are of the same target (scanme.nmap.org)
scanned from different locations. I highlight their hoplimit values:

# Linux scanme 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux, Ubuntu 10.04, from david
SCAN(V=5.61TEST4%OT=22%CT=1%CU=38935%DS=5%DC=I)
S1(P=6000{4}2806fbXX{32}0016bfd19de75ded63fd0ed7a01237c841010000020405a00402080a56a24149ff{4}01030305%ST=0.075288%RT=0.088383)
                ^^

# Linux scanme 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux, Ubuntu 10.04, from web
SCAN(V=5.61TEST4%OT=22%CT=1%CU=33901%DS=1%DC=D)
S1(P=6000{4}280640XX{32}001687c316611e7ecaeccd92a01237c884aa0000020405a00402080a56a2e029ff{4}01030305%ST=0.008097%RT=0.008497)
                ^^

# Linux scanme 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux, Ubuntu 10.04, from upload
SCAN(V=5.61TEST4%OT=22%CT=1%CU=44160%DS=1%DC=D)
S1(P=6000{4}280640XX{32}0016b65373a329f999ba5169a01237c855c40000020405a00402080a56a1fb71ff{4}01030305%ST=0.017776%RT=0.018224)
                ^^

# Linux scanme 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux, Ubuntu 10.04, from melchior
SCAN(V=5.61TEST4%OT=22%CT=1%CU=30148%DS=13%DC=I)
S1(P=6000{4}280634XX{32}0016ba9e3529cc8288a0afdfa01237c872360000020405a00402080a56ad1b53ff{4}01030305%ST=0.017312%RT=0.057286)
                ^^

The distance might be relevant. "DS=5%DC=I" means that the distance was
5 hops, guess by looking at an ICMP reply. "DS=1%DC=D" means it was a
one-hop LAN connection (i.e. with a MAC address), therefore no
intermediate routers.

All together we have
        DS=5  DC=I hoplimit=251
        DS=1  DC=D hoplimit=64
        DS=1  DC=D hoplimit=64
        DS=13 DC=I hoplimit=52
To me, this looks like middlebox interference. I recall that the first
one was using some HE.net tunnel; maybe that does something weird to the
hoplimit.

If that's the case, then we want to leave the high hoplimits in, because
we want the algorithm to learn that they can occur in practice.

Also check this anomaly:

# Linux web 2.6.39.1-x86_64-linode19 #1 SMP Tue Jun 21 10:04:20 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux, from david
SCAN(V=5.61TEST4%OT=22%CT=1%CU=43013%DS=5%DC=I)
S1(P=6000{4}28063cXX{32}0016d16db53cd79b11e290fda01237c8e5b10000020405a00402080a56b00078ff{4}01030307%ST=0.040266%RT=0.053091)
S2(P=6000{4}28063cXX{32}0016d16ebbc9586611e290fea01237c85df40000020405a00402080a56b000dcff{4}01030307%ST=0.140216%RT=0.153378)
S3(P=6000{4}2806fbXX{32}0016d16fc1a1601211e290ffa01237c853090000020405a00101080a56b00142ff{4}01030307%ST=0.240215%RT=0.255098)
S4(P=6000{4}28063cXX{32}0016d170c79360b211e29100a01237c849120000020405a00402080a56b001a4ff{4}01030307%ST=0.340212%RT=0.353178)
S5(P=6000{4}28063cXX{32}0016d171cd323b5411e29101a01237c8686b0000020405a00402080a56b00208ff{4}01030307%ST=0.440216%RT=0.453243)
                ^^

The hoplimit for S3 is different than for the other TCP probes. There
are actually plenty of examples of this phenomenon in the IPv4 database
already. It also usually indicates middlebox interference, in my
experience.

I think it's worth looking into this issue more closely, if it interests
you.

David Fifield
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/