bejtlichTEXAS.NET

• Next message: Ryan Russell: "Re: getting to the point with DDoS"
• Previous message: Russell Fulton: "lots of interest in port 109 (POP2)"
• Next in thread: Donald McLachlan: "Re: web related oddity"
• Reply: Ryan Russell: "Re: web related oddity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Don,

Assuming the initial TTL for the 24 Feb activity was 255:

255 - 20 (hops) = 235

Assuming the initial TTL for the 29 Feb activity was 128:

128 - 20 (hops) = 108

The questions is, why was 255 initially set, then later 128?
As I understand it, initial TTL is set by the source host,
and should only
be decremented by routers, not "recalculated." Is this
everyone's
understanding as well?

Incidentally, I observed similar activity from the source
host, although the
TTLs I observed were in the 40's range. This would lead me
to believe the initial
TTL may have been 64.

Richard

-----

- What catches my eye is the TTL has changed dramatically
from Feb 24 to
  Feb 29. Either the O/S of CCC.CCC.CCC.100 has changed,
or there is initial
  TTL trickery going on.

From Feb 24

10:44:06.296402 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.1586:
R 0:0(0) ack 674719802 win 0 (ttl 235, id 20884)
14:02:28.310627 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.1218:
R 0:0(0) ack 674719802 win 0 (ttl 235, id 63165)
14:29:39.975886 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.2298:
R 0:0(0) ack 674719802 win 0 (ttl 235, id 17232)

From Feb 29

09:43:42.091875 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.1734:
R 0:0(0) ack 674719802 win 0 (ttl 108, id 57993)

Anyone else seeing this?

Don

• Next message: Ryan Russell: "Re: getting to the point with DDoS"
• Previous message: Russell Fulton: "lots of interest in port 109 (POP2)"
• Next in thread: Donald McLachlan: "Re: web related oddity"
• Reply: Ryan Russell: "Re: web related oddity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]