[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] hiding routers
- To: Kristian Hermansen <kristian.hermansen@xxxxxxxxx>
- Subject: Re: [Full-disclosure] hiding routers
- From: Sebastian Krahmer <krahmer@xxxxxxx>
- Date: Wed, 18 Apr 2007 12:00:22 +0200 (CEST)
On Wed, 18 Apr 2007, Kristian Hermansen wrote:
Hi,
All better firewalling equipment offers a "stealth-routing" feature;
patches also exist for the Linux kernel. They can be detected using
DF-bit and certain other fields within the IP hdr, depending on
implementation and setup. Not decrementing TTL also does not
mean that it actually forwards packets with TTL 0.
Sebastian
> I brought this question up on another mailing list, but didn't get any
> good answers...
>
> How common is it that a router does not decrement the TTL of packets,
> such that it is unable to be identified using traceroute? Choosing
> not to decrement the TTL causes the next router to appear as the hop,
> but the current router to remain hidden. How does one commonly
> identify such hidden routers in an automated fashion? And is it
> policy for any organizations to actually do this, or only with certain
> packet types?
>
> The responses I got were along the lines of "don't do that, it breaks
> tcp/ip and error conditions". However, I am still interested in how
> likely an organization is to try something like this for both
> legitimate and illegitimate purposes.
>
--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@xxxxxxx - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/