Re: icmp: type-#69 (catched that bastard)
On Sun, 15 Sep 2002, Tim Haynes wrote:
> Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com> writes:
>
> [snip]
> >> How many hops away is the supposed source if you traceroute to it and how
> >> does that compare to the 17 the above would imply?
> >
> > How did you work the 17 out?
>
> I assume that the box's OS is setting to the nearest power of two by
> default and that it's being decremented by one per router en-route as
> normal. In this case, (- 128 111) is 17 :)
Magic ;-)
> > Here's the traceroute:
> >
> > 1 x.y.z.1 (gateway@my ISP) 25.604 ms 23.43 ms 24.26 ms
> [snip]
> > 16 151.99.29.222 (151.99.29.222) 284.126 ms 280.547 ms 287.283 ms
> > 17 80.17.211.142 (80.17.211.142) 405.897 ms 287.745 ms 284.2 ms
> > 18 151.99.29.100 (151.99.29.100) 284.638 ms 282.311 ms 299.727 ms
> > 19 62.211.198.163 (62.211.198.163) 603.76 ms 649.345 ms 653.241 ms
>
> OK. Either we have asymmetric routing or that packet is spoofed from
> something that's really 17 hops away in order to get your network (hence
> the broadcast) to attack a box that's really 19 hops away. Or the box is
> emitting dodgy packets itself (less likely).
The thing I wonder about is: who knows how to answer to a icmp
type-#69? Worms? Root kits?
Cheers,
Cristian
Reply to: