OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: web related oddity
From: Christopher L. Morrow (cmorrowUU.NET)
Date: Wed Mar 08 2000 - 11:58:08 CST

On Wed, 8 Mar 2000, Ryan Russell wrote:

> On Sat, 4 Mar 2000, Richard Bejtlich wrote:
>
> > Hi Don,
> >
> > Assuming the initial TTL for the 24 Feb activity was 255:
> >
> > 255 - 20 (hops) = 235
> >
> > Assuming the initial TTL for the 29 Feb activity was 128:
> >
> > 128 - 20 (hops) = 108
> >
> > The questions is, why was 255 initially set, then later 128?
> > As I understand it, initial TTL is set by the source host,
> > and should only
> > be decremented by routers, not "recalculated." Is this
> > everyone's
> > understanding as well?
> >
>
> Yup. Of course, it is adjustable:
>
> http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LNG=ENG&SA=ALLKB&FR=0
> (Windows example)
>
> I don't know why someone would change it on purpose, and I'm not aware of
> anything that will change it automatically on one's WIndows box. Perhaps
> he switched OSes? A quick test shows NT server 4.0, Win98 and Redhat 6.0
> all default to 128.

You can change it via SNMP on windows NT systems. In fact, the default
community string on NT is "public", the default level of access is
equivalent to what the "RW" string (typical default 'private') gets you.

You can change the default TTL for IP packets, admin down and
interface... Lots of fun. :)

The really neat thing about this is that you can alter the TTL at will
while the admin of the box is busy trying to figure out why only certain
websites are accessible on this single machine... I bet this is a BEAR to
troubleshoot.

-Chris