RE: Traces

["Shawn Jackson" <sjackson () horizonusa com>]

        Okdokie. Let's say I am pinging anything.org and its 5 hops
away. Let's also say that through a status route change (a BGP peer goes
down, etc) I'm being router through a different backbone, now
anything.org is 8 hops away due to that change. Great it's 8 hops away.

        Now, you have a DOS attack against two networks, your friends
and yours. Your friend detects that the attacker is 12 hops away. You
are suffering from the same attack and detect that it is 7 hops away.
Let's also assume that we've stripped the dynamic properties of the
Internet away and you know for a FACT that 11 hops away from him and 6
hops away from you is a SBC ATM Core. The last hop is unknown because
you can't garner that information without, at least, a netblock. The ATM
core can be connected to thousands of networks, using that information
you can only have a meager guess at which backbone provider the attack
is coming from.

        Now 20 hops away from me could be almost anywhere in the western
half of the world thanks to AT&T. The dynamic state of routes is what
complicates this technique. 12 hops for me can be 30 hops to you. The
all of a sudden it's 30 hops for me and 33 hops for you. Using the above
example say your ISP had to route though its backup Tier 1 connection
due to traffic load which leaves the backbone network in another state,
now instead of 7 hops you're up to 9. 

        TTL is not like miles it can't be efficiently measured. Routers
can be hundreds of miles apart, or a few feet. I can reach the Easter
half of the US in less hops then it takes me to get to Mexico, does that
means its closer, nope. Could I take a look at a TTL and say what state
it's in, nope.

        Can you give me an example of it in action? How would you use it
to trace the source of an attack where the originating IP Address has
been faked? IMHO I still think is useless, but that's because I can't
see it working or giving me useful information.


Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Fernando Gont [mailto:fernando () gont com ar] 
Sent: Wednesday, December 31, 2003 1:00 PM
To: Shawn Jackson; Gerson Sampaio; security-basics () securityfocus com
Subject: RE: Traces

At 12:18 31/12/2003 -0800, Shawn Jackson wrote:

>         Eh' kinda. The TTL is decremented when the packet travels over
a
> router. If they don't set the TTL to a random number you know, "hey
he's
> eight hops away", but that's it. In a confined corporate network that
> might work better, but on a network as dynamic as the internet, not all
> paths have the same TTL so it's almost worthless, IMHO.

What do you mean by "not all paths have the same TTL"?
If the TTL has not been intentionaly set to some random value, even when

routes may be change, you can still say "it's X hops away".

So the dynamic nature of routes doesn't make this technique useless.

Furthermore, if somehow you can correlate an attack to your site with
any 
other attack to some other sites, you will have a better idea of where
the 
attacker is.

Of course, this will work if and only if the TTL field is not set to a 
random value.


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
----------------------------------------------------------------------------