Um, no. It's true that traceroute uses IP TTL timeouts to track the path of
a series of packets, but with a spoofed source, the person initiating the
series of packets never sees the replies, which would defeat the purpose if
it were a "traceroute-ish" utility. Traceroute doesn't use a spoofed
source.
-Chris
Christopher Wilson
e-Security, Inc.
700 S. Babcock St., Suite 200
Melbourne, FL 32901
Email: chris.wilson_at_esecurityinc.com
Web: http://www.esecurityinc.com/
-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS_at_SECURITYFOCUS.COM]On
Behalf Of Alain Thivillon
Sent: Saturday, January 01, 2000 3:05 PM
To: INCIDENTS_at_SECURITYFOCUS.COM
Subject: Re: [INCIDENTS] ICMP time exceed in-transit packets
Chris Brenton <cbrenton_at_SOVER.NET> écrivait (wrote) :
> So the attacker transmits the above packet. While in transit, the TTL
> drops to zero. The router receiving the TTL 0 packet realizes it can not
> forward it and issues a time exceeded (ICMP type 11) packet back to the
> spoofed source address. So what you are seeing in your logs is the error
> code generated by the spoofed packets when the TTL expires.
Well, you are saying someone is tracerouting you. Congratulations :)
--
Unix is ending in 13897 days, 7 hours, 9 min, 55 sec : save your buffers
Received on Jan 02 2000
Intro
