At 11:51 AM -0400 5/26/03, Jonathan A. Zdziarski wrote: > > What would explain the following scenario > >With just those four tests to go on, I would start thinking that the address >you are analyzing is either spoofed or no longer online. A traceroute that >bounces between two hosts is usually a sign of a routing loop as a result of >the destination host being down. This was more prevalent ten years ago, but >I still see them today periodically. DNS information (as well as a ping -a) >completely relies on the authoritative server for the address space, so I >would find out who the particular network belongs to and contact them. A >whois on arin.net's servers (or some other registry) ought to give you some >contact information. Finally, ping timeouts... are you certain that the >reply you're receiving back is actually from the host? If you increase your >TTL in a traceroute, do you finally get somewhere? It could in fact be >coming from one of the routers in the loops if your TTL is expiring in >transit. > Johnathan makes a good point. Many OS's drop anything that's more than 20 or 30 hops old. A default Solaris 8 install is a good case in point, since it's a relatively modern OS. While this may not seem important, many things, most notably in Austrailia and Asia, are more than 30 hops from the Core DNS. If you are trying to back track stuff, checking both your default number of hops and TTL may well be worth investigating. -- Thanks, Ms. Jimi Thompson, CISSP, Rev. "Those who are too smart to engage in politics are punished by being governed by those who are dumber." --Plato ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 10:13:11 PDT