Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Off by one in ICMP distance calculation?
From: David Fifield <david () bamsoftware com>
Date: Sat, 13 Oct 2012 13:47:56 -0700

On Fri, Sep 30, 2011 at 06:53:53PM -0700, David Fifield wrote:
On Fri, Sep 30, 2011 at 12:00:05PM +0200, Luis MartinGarcia. wrote:
On 09/15/2011 06:48 PM, David Fifield wrote:
During OS detection, we calculate distance by subtracting the
encapsulated TTL in an ICMP error reply from the TTL we set originally
when sending the probe:
  /* Count hop count */
  if (hss->distance == -1) {
    hss->distance = this->udpttl - ip2->ip_ttl;
  }
I think this is off by one: it reports one less than the actual
distance. I added this debugging line:
  log_write(LOG_PLAIN, "TTL distance: %d - %d == %d\n", this->udpttl, ip2->ip_ttl, this->udpttl - ip2->ip_ttl);
and I tried running with traceroute. Here's a remote host:
  TTL distance: 56 - 46 == 10
  Network Distance: 11 hops
  TRACEROUTE (using port 53/tcp)
  HOP RTT      ADDRESS
  1   6.11 ms  192.168.0.1
   ...
  9   29.23 ms 10gigabitethernet1-1.core1.fmt1.he.net (72.52.92.109)
  10  14.23 ms linode-llc.10gigabitethernet2-3.core1.fmt1.he.net (64.62.250.6)
  11  17.00 ms li86-221.members.linode.com (74.207.244.221)
and here's a directly connected host:
  TTL distance: 61 - 61 == 0
  Network Distance: 1 hop
  TRACEROUTE
  HOP RTT     ADDRESS
  1   0.23 ms 192.168.0.3

Directly connected hosts are already treated as a special case and set
to distance 1, so you would only notice the discrepancy against
multiple-hop hosts.

Does anyone else agree that this is off by one?


Hi!

In my opinion it  depends on the definition of network distance. If we
only mean the number of intermediate devices between the sender and the
receiver, then the SENT_TTL - RECV_TTL throws the correct value.
However, I don't think the distance should be defined like that. In
real-world when someone asks how far is some tube station and I tell
them it's three stops away, that means you get the tube in station A,
you pass B and C until you get to D. In network communications B and C
would be routers and the TTL would be decremented only twice, not three
times. Therefore:

A[TTL 255] --> B [TTL 254] --> C [TTL 253] --> D   ::
Distance=255-253=2?  Wrong, It should be 3.

So yeah, I agree that its and off by one bug. Plus, if we do
{distance=SENT_TTL - RCVD_TTL + 1} then the directly connected is not a
special case and can be reliably distinguished from the scenario where
there is one router in the middle.

Okay, I just made a commit to increase the number by 1.

I just discovered a bug with this commit from a year ago. After
increasing the measure distance, I didn't also adjust the initial TTL
calculation that appears in OS fingerprints, so they are one higher than
they should be. I ahve fixed this now in r30031.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
  • Re: Off by one in ICMP distance calculation? David Fifield (Oct 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]