Security Incidents mailing list archives
Re: web related oddity
From: don () MAINFRAME DGRC CRC CA (Donald McLachlan)
Date: Wed, 8 Mar 2000 13:59:39 -0500
From: Ryan Russell <ryan () SECURITYFOCUS COM> On Sat, 4 Mar 2000, Richard Bejtlich wrote:Hi Don, Assuming the initial TTL for the 24 Feb activity was 255: 255 - 20 (hops) = 235 Assuming the initial TTL for the 29 Feb activity was 128: 128 - 20 (hops) = 108 The questions is, why was 255 initially set, then later 128? As I understand it, initial TTL is set by the source host, and should only be decremented by routers, not "recalculated." Is this everyone's understanding as well?Yup. Of course, it is adjustable: http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LNG=ENG&SA=ALLKB&FR=0 (Windows example) I don't know why someone would change it on purpose, and I'm not aware of anything that will change it automatically on one's WIndows box. Perhaps he switched OSes? A quick test shows NT server 4.0, Win98 and Redhat 6.0 all default to 128. Ryan
The world is not Windows-only. With ndd on Solaris it can be changed on the fly. I won't reproduce it here, but http://www.map.ethz.ch/ftp-probleme.htm shows default TTL values of 30, 32, 60, 64, 128, and 255 for TCP, and default values of 30, 60, 64, 128 and 255 for different O/S's. Don
Current thread:
- Re: web related oddity, (continued)
- Re: web related oddity Richard Bejtlich (Mar 04)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
- Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: web related oddity Ryan Russell (Mar 08)
- Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Richard Bejtlich (Mar 04)
- Re: web related oddity Donald McLachlan (Mar 07)
- Re: web related oddity Matthew S. Hallacy (Mar 08)
- Re: web related oddity Bill Pennington (Mar 08)
- ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Matthew S. Hallacy (Mar 08)