OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: web related oddity
From: Donald McLachlan (donMAINFRAME.DGRC.CRC.CA)
Date: Tue Mar 07 2000 - 08:48:12 CST

Hello Richard,

> Reply-To: Richard Bejtlich <bejtlichTEXAS.NET>
>
> Hi Don,
>
> Assuming the initial TTL for the 24 Feb activity was 255:
>
> 255 - 20 (hops) = 235
>
> Assuming the initial TTL for the 29 Feb activity was 128:
>
> 128 - 20 (hops) = 108
>
> The questions is, why was 255 initially set, then later 128?

I made a second post about this later in the day on Feb 29, but I don't
remember seeing it on the list. Anyway, a couple hours later the TTL
was back to 235. Sure looks like TTL trickery to me, or maybe a dual
boot host switching O/S's?

> As I understand it, initial TTL is set by the source host,
> and should only
> be decremented by routers, not "recalculated." Is this
> everyone's
> understanding as well?

Yes, but ...

- crafted packets can have any TTL (my first guess).
- ndd can be used to change the TTL.

But since I was not sending the initial packets the resets in themselves
are interesting. ... Maybe side effect of a DoS spoofing my address ...
but frequency of resets was (~1/hour), and only occured after I visited
some European web sites.

> Incidentally, I observed similar activity from the source
> host, although the
> TTLs I observed were in the 40's range. This would lead me
> to believe the initial
> TTL may have been 64.
>
> Richard

FYI, I just tried to ping/telnet to 194.182.239.100 and got no replies. Maybe
someone complained and the system has been shut down? ... Or it might
just be a dual boot laptop that is not always home, or a dual boot PC sometimes
turned off, or a host that does IP stack twiddling to mask the O/S?

Lots of ideas, few answers.

Don