Security Incidents mailing list archives
Re: web related oddity
From: cmorrow () UU NET (Christopher L. Morrow)
Date: Wed, 8 Mar 2000 12:58:08 -0500
On Wed, 8 Mar 2000, Ryan Russell wrote:
On Sat, 4 Mar 2000, Richard Bejtlich wrote:Hi Don, Assuming the initial TTL for the 24 Feb activity was 255: 255 - 20 (hops) = 235 Assuming the initial TTL for the 29 Feb activity was 128: 128 - 20 (hops) = 108 The questions is, why was 255 initially set, then later 128? As I understand it, initial TTL is set by the source host, and should only be decremented by routers, not "recalculated." Is this everyone's understanding as well?Yup. Of course, it is adjustable: http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LNG=ENG&SA=ALLKB&FR=0 (Windows example) I don't know why someone would change it on purpose, and I'm not aware of anything that will change it automatically on one's WIndows box. Perhaps he switched OSes? A quick test shows NT server 4.0, Win98 and Redhat 6.0 all default to 128.
You can change it via SNMP on windows NT systems. In fact, the default community string on NT is "public", the default level of access is equivalent to what the "RW" string (typical default 'private') gets you. You can change the default TTL for IP packets, admin down and interface... Lots of fun. :) The really neat thing about this is that you can alter the TTL at will while the admin of the box is busy trying to figure out why only certain websites are accessible on this single machine... I bet this is a BEAR to troubleshoot. -Chris
Current thread:
- Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
- Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: web related oddity Ryan Russell (Mar 08)
- Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
- Re: web related oddity Matthew S. Hallacy (Mar 08)
- Re: web related oddity Bill Pennington (Mar 08)
- ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Matthew S. Hallacy (Mar 08)