donMAINFRAME.DGRC.CRC.CA

• Next message: Matthew S. Hallacy: "ftp scan (was Re: web related oddity)"
• Previous message: Joel Michael: "Re: Mail Server attack"
• Maybe reply: Donald McLachlan: "Re: web related oddity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Ryan Russell <ryanSECURITYFOCUS.COM>
>
> On Sat, 4 Mar 2000, Richard Bejtlich wrote:
>
> > Hi Don,
> >
> > Assuming the initial TTL for the 24 Feb activity was 255:
> >
> > 255 - 20 (hops) = 235
> >
> > Assuming the initial TTL for the 29 Feb activity was 128:
> >
> > 128 - 20 (hops) = 108
> >
> > The questions is, why was 255 initially set, then later 128?
> > As I understand it, initial TTL is set by the source host,
> > and should only
> > be decremented by routers, not "recalculated." Is this
> > everyone's
> > understanding as well?
> >
>
> Yup. Of course, it is adjustable:
>
> http://support.microsoft.com/support/kb/articles/Q120/6/42.asp?LNG=ENG&SA=ALLKB&FR=0
> (Windows example)
>
> I don't know why someone would change it on purpose, and I'm not aware of
> anything that will change it automatically on one's WIndows box. Perhaps
> he switched OSes? A quick test shows NT server 4.0, Win98 and Redhat 6.0
> all default to 128.
>
> Ryan

The world is not Windows-only. With ndd on Solaris it can be changed on the
fly.

I won't reproduce it here, but http://www.map.ethz.ch/ftp-probleme.htm
shows default TTL values of 30, 32, 60, 64, 128, and 255 for TCP, and
default values of 30, 60, 64, 128 and 255 for different O/S's.

Don

• Next message: Matthew S. Hallacy: "ftp scan (was Re: web related oddity)"
• Previous message: Joel Michael: "Re: Mail Server attack"
• Maybe reply: Donald McLachlan: "Re: web related oddity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]