[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: icmp: type-#69 (catched that bastard)

Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com> writes:

[snip]
>> How many hops away is the supposed source if you traceroute to it and how
>> does that compare to the 17 the above would imply?
>
> How did you work the 17 out?

I assume that the box's OS is setting to the nearest power of two by
default and that it's being decremented by one per router en-route as
normal. In this case, (- 128 111) is 17 :)

> Here's the traceroute:
>
>  1  x.y.z.1         (gateway@my ISP)   25.604 ms   23.43  ms    24.26  ms
[snip]
> 16  151.99.29.222   (151.99.29.222)   284.126 ms  280.547 ms   287.283 ms
> 17  80.17.211.142   (80.17.211.142)   405.897 ms  287.745 ms   284.2   ms
> 18  151.99.29.100   (151.99.29.100)   284.638 ms  282.311 ms   299.727 ms
> 19  62.211.198.163  (62.211.198.163)  603.76  ms  649.345 ms   653.241 ms

OK. Either we have asymmetric routing or that packet is spoofed from
something that's really 17 hops away in order to get your network (hence
the broadcast) to attack a box that's really 19 hops away. Or the box is
emitting dodgy packets itself (less likely).

~Tim
-- 
<http://spodzone.org.uk/>
Reply to: