Hi Geeks, A reader noticed ICMP echo request packets attempting to enter their network yesterday with the IP timestamp option set. Upon closer inspection, the payload of the ICMP echo contained a URL which was http://iplane.cs.washington.edu/
That link lead to a University of Washington research project site that measures Internet path performance. Based on their website they have been doing this since 2006. They are employing IP options in their echo request packets which many folks may noticed in their IPS/IDS logs. Echo requests with timestamp option allow you to do things like: "Measuring link attributes: Existing techniques for measuring loss rate, bandwidth capacity and available bandwidth are employed in a scalable and efficient manner to characterize the properties of all inter-cluster links in the measured topology." If your interested in jitter for example a few pings with TS allows for fairly simple jitter computation. If you see some of ICMP 8:0 with ip opts that includes TimeStamp you might want to capture some packets and look inside to see if it came from this research project. TimeStamp replies are considered dangerous as they might be used to defeat time based authentication protocols. http://www.nessus.org/plugins/index.php?view=single&id=10114 Cheers, 0xN41K -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
