|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: web related oddity
From: Ryan Russell (ryan
SECURITYFOCUS.COM)Date: Wed Mar 08 2000 - 11:23:07 CST
- Next message: Jan Roger Wilkens: "Port 33434 and decoy-scanning"
- Previous message: Omachonu Ogali: "Re: Mail Server attack"
- In reply to: Richard Bejtlich: "Re: web related oddity"
- Next in thread: Christopher L. Morrow: "Re: web related oddity"
- Reply: Ryan Russell: "Re: web related oddity"
- Reply: Christopher L. Morrow: "Re: web related oddity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, 4 Mar 2000, Richard Bejtlich wrote:
> Hi Don,
>
> Assuming the initial TTL for the 24 Feb activity was 255:
>
> 255 - 20 (hops) = 235
>
> Assuming the initial TTL for the 29 Feb activity was 128:
>
> 128 - 20 (hops) = 108
>
> The questions is, why was 255 initially set, then later 128?
> As I understand it, initial TTL is set by the source host,
> and should only
> be decremented by routers, not "recalculated." Is this
> everyone's
> understanding as well?
>
Yup. Of course, it is adjustable:
http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LNG=ENG&SA=ALLKB&FR=0
(Windows example)
I don't know why someone would change it on purpose, and I'm not aware of
anything that will change it automatically on one's WIndows box. Perhaps
he switched OSes? A quick test shows NT server 4.0, Win98 and Redhat 6.0
all default to 128.
Ryan
- Next message: Jan Roger Wilkens: "Port 33434 and decoy-scanning"
- Previous message: Omachonu Ogali: "Re: Mail Server attack"
- In reply to: Richard Bejtlich: "Re: web related oddity"
- Next in thread: Christopher L. Morrow: "Re: web related oddity"
- Reply: Ryan Russell: "Re: web related oddity"
- Reply: Christopher L. Morrow: "Re: web related oddity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]