Penetration Testing mailing list archives
Re: getting different ttl values for the same IP
From: Maciek Dudek <cneither () gmail com>
Date: Sun, 1 Jan 2006 16:13:41 +0100
On 12/30/05, Technica Forensis <forensis.technica () gmail com> wrote:
10.10.10.10;400 ms (TTL=106) - Echo Reply;401 ms (TTL=102) - Echo Reply;400 ms (TTL=102) - Echo Reply;(Unknown);This run is the one that bothers me... why does it change from 106 to 102? Where did the alleged four extra hops come from? Changing from 255-230=25 to 128-103=25 makes sense if a load balancer
is going between two systems of different OSes, which is good for survivability. But, assuming the max of 255 and 128 are the starting points, why does the number of hops change from 25 to 22 to 26?
I think the number of hops changes cause when source host sends echo requests to targets, these packets pass the same way, but when the target responses, its packets go through different way(other than requests), cause some routers routed these packets differently at that moment. Some ways are short, the others are long so the number of hops was changed (and of course ttl) . This change of track can appear everywhere, and in this case it happened. So, I'd say that was the reason.
Assuming that the network was laid out by a sane person and doesn't have 4 or 5 extra devices in the way that are only sometimes used,
Sane person laid out correct network, but packets can be route in various way.(e.g when track is long). It doesn't mean that some devices are only sometimes used.
obfuscation is the only thing that seems to make sense. A load balancer switching between a few systems that have different maxes that then passes through a firewall that subtracts 1-10 hops, randomly, in order to hide the layout of the network behind it.
Not every network work this way. Cheers Maciek Dudek ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: getting different ttl values for the same IP Maciek Dudek (Jan 01)
- <Possible follow-ups>
- RE: getting different ttl values for the same IP Andrew Lacey (Jan 02)