> From spb_at_meshuggeneh.net Mon Oct 9 15:53 EDT 2000
> To: Donald McLachlan <don_at_mainframe.dgrc.crc.ca>
>
> In message <200010051350.JAA09245_at_obelix.dgrc.crc.ca>, Donald McLachlan writes:
>
> >As you say the ICMP message includes the IP header of the packet which could
> >not be delivered.
> >3) Look at the IP header of the included packet. If the TTL is close to
> > (within 1 or 2 of) one of the default initial TTLs (255, 128, 64, 32)
> > you can be pretty sure that the host spoofing your addresses is behind
> > that border router.
>
> There's a simpler and better indicator: check to see if the source
> of the ICMP packet is between the destination of the ICMP packet and
> the `unreachable' host. If this isn't the case, it's a pretty good
> bet that the actual origin of the original traffic is behind the ICMP source.
Spoof at host A (but we don't know the host's true address).
Sends packets via router B.
To unreachable address C.
Spoofing Address D (which is where the ICMP unreachable address gets sent.
A - B - (Big Internet Cloud) - C
|
D
If I understand you correctly you are saying to check if D is between
B and C. That makes no sense to me so I must be misunderstanding you.
Can you please elaborate how your method can determine that the spoofer is
behind router B (at A)? (which is what my method does)
Received on Oct 10 2000
Intro
