Nmap Development mailing list archives
Re: IPv6 Hop Limit as feature in FPEngine
From: David Fifield <david () bamsoftware com>
Date: Tue, 24 Feb 2015 08:27:43 -0800
On Tue, Feb 24, 2015 at 01:34:03PM +0100, Alexandru Geana wrote:
Are there any members of a class that appear not to belong because of a different hoplimit?There are certain "anomalies" so to say. For example, the groups "VMware ESXi 5" and "OpenBSD 4.8" have one outlier each, which is not very bad I think. On the other hand, there are also groups such as "Linux 2.6.32 - 2.6.39" with hop limit values centered around 64 and 255 with the average around 157. It seems at some point during these two releases the default value was changed.
Hmm, yeah, something weird is going on. Take the first group, for example. The first four samples are of the same target (scanme.nmap.org) scanned from different locations. I highlight their hoplimit values: # Linux scanme 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux, Ubuntu 10.04, from david SCAN(V=5.61TEST4%OT=22%CT=1%CU=38935%DS=5%DC=I) S1(P=6000{4}2806fbXX{32}0016bfd19de75ded63fd0ed7a01237c841010000020405a00402080a56a24149ff{4}01030305%ST=0.075288%RT=0.088383) ^^ # Linux scanme 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux, Ubuntu 10.04, from web SCAN(V=5.61TEST4%OT=22%CT=1%CU=33901%DS=1%DC=D) S1(P=6000{4}280640XX{32}001687c316611e7ecaeccd92a01237c884aa0000020405a00402080a56a2e029ff{4}01030305%ST=0.008097%RT=0.008497) ^^ # Linux scanme 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux, Ubuntu 10.04, from upload SCAN(V=5.61TEST4%OT=22%CT=1%CU=44160%DS=1%DC=D) S1(P=6000{4}280640XX{32}0016b65373a329f999ba5169a01237c855c40000020405a00402080a56a1fb71ff{4}01030305%ST=0.017776%RT=0.018224) ^^ # Linux scanme 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux, Ubuntu 10.04, from melchior SCAN(V=5.61TEST4%OT=22%CT=1%CU=30148%DS=13%DC=I) S1(P=6000{4}280634XX{32}0016ba9e3529cc8288a0afdfa01237c872360000020405a00402080a56ad1b53ff{4}01030305%ST=0.017312%RT=0.057286) ^^ The distance might be relevant. "DS=5%DC=I" means that the distance was 5 hops, guess by looking at an ICMP reply. "DS=1%DC=D" means it was a one-hop LAN connection (i.e. with a MAC address), therefore no intermediate routers. All together we have DS=5 DC=I hoplimit=251 DS=1 DC=D hoplimit=64 DS=1 DC=D hoplimit=64 DS=13 DC=I hoplimit=52 To me, this looks like middlebox interference. I recall that the first one was using some HE.net tunnel; maybe that does something weird to the hoplimit. If that's the case, then we want to leave the high hoplimits in, because we want the algorithm to learn that they can occur in practice. Also check this anomaly: # Linux web 2.6.39.1-x86_64-linode19 #1 SMP Tue Jun 21 10:04:20 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux, from david SCAN(V=5.61TEST4%OT=22%CT=1%CU=43013%DS=5%DC=I) S1(P=6000{4}28063cXX{32}0016d16db53cd79b11e290fda01237c8e5b10000020405a00402080a56b00078ff{4}01030307%ST=0.040266%RT=0.053091) S2(P=6000{4}28063cXX{32}0016d16ebbc9586611e290fea01237c85df40000020405a00402080a56b000dcff{4}01030307%ST=0.140216%RT=0.153378) S3(P=6000{4}2806fbXX{32}0016d16fc1a1601211e290ffa01237c853090000020405a00101080a56b00142ff{4}01030307%ST=0.240215%RT=0.255098) S4(P=6000{4}28063cXX{32}0016d170c79360b211e29100a01237c849120000020405a00402080a56b001a4ff{4}01030307%ST=0.340212%RT=0.353178) S5(P=6000{4}28063cXX{32}0016d171cd323b5411e29101a01237c8686b0000020405a00402080a56b00208ff{4}01030307%ST=0.440216%RT=0.453243) ^^ The hoplimit for S3 is different than for the other TCP probes. There are actually plenty of examples of this phenomenon in the IPv4 database already. It also usually indicates middlebox interference, in my experience. I think it's worth looking into this issue more closely, if it interests you. David Fifield _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 23)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 23)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 24)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 24)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 26)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 24)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 24)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 11)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 12)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 19)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 19)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 23)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 23)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 26)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 23)