Security Incidents mailing list archives
Re: ICMP time exceed in-transit packets
From: chris.wilson () ESECURITYINC COM (Christopher Wilson)
Date: Sun, 2 Jan 2000 19:56:55 -0500
Um, no. It's true that traceroute uses IP TTL timeouts to track the path of a series of packets, but with a spoofed source, the person initiating the series of packets never sees the replies, which would defeat the purpose if it were a "traceroute-ish" utility. Traceroute doesn't use a spoofed source. -Chris Christopher Wilson e-Security, Inc. 700 S. Babcock St., Suite 200 Melbourne, FL 32901 Email: chris.wilson () esecurityinc com Web: http://www.esecurityinc.com/ -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Alain Thivillon Sent: Saturday, January 01, 2000 3:05 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: [INCIDENTS] ICMP time exceed in-transit packets Chris Brenton <cbrenton () SOVER NET> écrivait (wrote) :
So the attacker transmits the above packet. While in transit, the TTL drops to zero. The router receiving the TTL 0 packet realizes it can not forward it and issues a time exceeded (ICMP type 11) packet back to the spoofed source address. So what you are seeing in your logs is the error code generated by the spoofed packets when the TTL expires.
Well, you are saying someone is tracerouting you. Congratulations :) -- Unix is ending in 13897 days, 7 hours, 9 min, 55 sec : save your buffers
Current thread:
- Re: ICMP time exceed in-transit packets White, Tim (Dec 31)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Re: ICMP time exceed in-transit packets Christopher Wilson (Jan 02)
- port 119 Dariusz Zmokly (Jan 03)
- Re: port 119 Robert Graham (Jan 03)
- Re: port 119 Thomas Molina (Jan 04)
- Re: port 119 Vince Vielhaber (Jan 05)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Ports 25092 / 20869 Vanja Hrustic (Jan 04)
- Re: Ports 25092 / 20869 Robert Graham (Jan 04)
- port 1150 and 4833 ? Kim R. Rasmussen (Jan 04)
- Re: port 1150 and 4833 ? Frameloss, Frameloss (Jan 10)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
- Re: port 119 R a v e N (Jan 05)
- Re: port 119 Scott Laws (Jan 04)