On Sun, 15 Sep 2002, Tim Haynes wrote: > Cristian Ionescu-Idbohrn <[EMAIL PROTECTED]> writes: > > [snip] > >> How many hops away is the supposed source if you traceroute to it and how > >> does that compare to the 17 the above would imply? > > > > How did you work the 17 out? > > I assume that the box's OS is setting to the nearest power of two by > default and that it's being decremented by one per router en-route as > normal. In this case, (- 128 111) is 17 :)
Magic ;-) > > Here's the traceroute: > > > > 1 x.y.z.1 ([EMAIL PROTECTED] ISP) 25.604 ms 23.43 ms > > 24.26 ms > [snip] > > 16 151.99.29.222 (151.99.29.222) 284.126 ms 280.547 ms 287.283 ms > > 17 80.17.211.142 (80.17.211.142) 405.897 ms 287.745 ms 284.2 ms > > 18 151.99.29.100 (151.99.29.100) 284.638 ms 282.311 ms 299.727 ms > > 19 62.211.198.163 (62.211.198.163) 603.76 ms 649.345 ms 653.241 ms > > OK. Either we have asymmetric routing or that packet is spoofed from > something that's really 17 hops away in order to get your network (hence > the broadcast) to attack a box that's really 19 hops away. Or the box is > emitting dodgy packets itself (less likely). The thing I wonder about is: who knows how to answer to a icmp type-#69? Worms? Root kits? Cheers, Cristian
