Re: Traceroute Question

From: oherrera (oherreraat_private)
Date: Mon Apr 07 2003 - 16:52:02 PDT

Next message: Kevin Hodle: "RE: Top 10 vulnerabilities and open ports."

Previous message: Pete Finnigan: "65 Oracle security papers, articles and presentations"
Maybe in reply to: Vineet Mehta: "Traceroute Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mh... The original IP Header + 64 bits of data is included
in the ICMP Time Exceeded Message...

If we assume that our address is a.a.a.a and target is
t.t.t.t then the IP header in all ICMP Time Exceeded Message
should read:
from a.a.a.a to t.t.t.t, but... if there is some proxy
inside whose internal address is b.b.b.b the IP header would
change and any device between b.b.b.b and t.t.t.t where the
packet expires would include and IP header inside the ICMP
Time Exceeded Message reading: from b.b.b.b to t.t.t.t,
wouldn't it?

Now, assuming this proxy has an external IP address of
e.e.e.e (which a.a.a.a can see) and somehow, this proxy just
redirects traffic for a certain port to t.t.t.t on the
internal network, in theory, you would receive ICMP Type 11
:
[IP from e.e.e.e to a.a.a.a]....[ IP inside ICMP protocol:
from a.a.a.a to e.e.e.e?]

if expiring before and on the proxy... and you might
receive:
[IP from e.e.e.e to a.a.a.a]....[ IP inside ICMP protocol:
from b.b.b.b to t.t.t.t?] if expiring after the proxy (on
the internal network.)

I haven't actually tried this but looks like it would work
for mapping an internal network behind a proxy under some
circumstances (using a sniffer at least).

But regarding the question being posted, I would have
another question... Do any traceroute implementation favours
IP header inside the ICMP type 11 protocol over the IP
header of the packet itself under some circumstances?

Omar Herrera



> Hi all,
>
> While trying to do traceroute on one of the server i get
> the following reply:
>
> $traceroute a.b.c.d
>  1  192.168.0.254 (192.168.0.254)  0.442 ms  0.397 ms
> 0.358 ms
>  2  62.150.42.1 (62.150.42.1)  1.951 ms  1.315 ms  1.249
> ms
>  3  172.17.8.149 (172.17.8.149)  43.577 ms  23.481 ms
> 17.653 ms
>  4  border.qualitynet.net (195.226.227.1)  19.935 ms
> 20.902 ms  21.896 ms
>  5  isp.qualitynet.net (195.226.227.10)  19.928 ms  23.302
> ms  21.839 ms
>  6  192.168.226.38 (192.168.226.38)  71.321 ms  282.457 ms
> *
> My Question is why I am getting 192.168.226.38 non-route
> able address output in traceroute reply? As far as i think
> these private address space is not route able on the
> internet.
> Any sugestions?
>
> Vineet
>
>
> [Attachment: signature.asc]

<b>
--------------------------------------------------------------
Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization. 
--------------------------------------------------------------
</b>

Next message: Kevin Hodle: "RE: Top 10 vulnerabilities and open ports."
Previous message: Pete Finnigan: "65 Oracle security papers, articles and presentations"
Maybe in reply to: Vineet Mehta: "Traceroute Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 08:38:03 PDT