Re: getting different ttl values for the same IP

From: Maciek Dudek (cneither@gmail.com)
Date: Sun Jan 01 2006 - 10:13:41 EST

• Next message: Chris Serafin: "RE: Pentesting Network Share Access via wireless"
• Previous message: Inspiration: "RE: Pentesting Network Share Access via wireless"
• In reply to: Technica Forensis: "Re: getting different ttl values for the same IP"
• Next in thread: Andrew Lacey: "RE: getting different ttl values for the same IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 12/30/05, Technica Forensis <forensis.technica@gmail.com> wrote:
> > 10.10.10.10;400 ms (TTL=106) - Echo Reply;401 ms (TTL=102) - Echo Reply;400 ms (TTL=102) - Echo Reply;(Unknown);
>
> This run is the one that bothers me... why does it change from 106 to
> 102? Where did the alleged four extra hops come from?
>
> Changing from 255-230=25 to 128-103=25 makes sense if a load balancer

> is going between two systems of different OSes, which is good for
> survivability. But, assuming the max of 255 and 128 are the starting
> points, why does the number of hops change from 25 to 22 to 26?

I think the number of hops changes cause when source host sends echo
requests to targets, these packets pass the same way, but when the
target responses, its packets go through different way(other than
requests), cause some routers routed these packets differently at that
moment. Some ways are short, the others are long so the number of
hops was changed (and of course ttl) . This change of track can appear
everywhere, and in this case it happened. So, I'd say that was the
reason.

>Assuming that the network was laid out by a sane person and doesn't
> have 4 or 5 extra devices in the way that are only sometimes used,

Sane person laid out correct network, but packets can be route in
various way.(e.g when track is long). It doesn't mean that some
devices are only sometimes used.

> obfuscation is the only thing that seems to make sense.
>
> A load balancer switching between a few systems that have different
> maxes that then passes through a firewall that subtracts 1-10 hops,
> randomly, in order to hide the layout of the network behind it.

Not every network work this way.

Cheers

Maciek Dudek

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Chris Serafin: "RE: Pentesting Network Share Access via wireless"
• Previous message: Inspiration: "RE: Pentesting Network Share Access via wireless"
• In reply to: Technica Forensis: "Re: getting different ttl values for the same IP"
• Next in thread: Andrew Lacey: "RE: getting different ttl values for the same IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:18 EDT