On Wed, 18 Apr 2007, Kristian Hermansen wrote: Hi,
All better firewalling equipment offers a "stealth-routing" feature; patches also exist for the Linux kernel. They can be detected using DF-bit and certain other fields within the IP hdr, depending on implementation and setup. Not decrementing TTL also does not mean that it actually forwards packets with TTL 0. Sebastian > I brought this question up on another mailing list, but didn't get any > good answers... > > How common is it that a router does not decrement the TTL of packets, > such that it is unable to be identified using traceroute? Choosing > not to decrement the TTL causes the next router to appear as the hop, > but the current router to remain hidden. How does one commonly > identify such hidden routers in an automated fashion? And is it > policy for any organizations to actually do this, or only with certain > packet types? > > The responses I got were along the lines of "don't do that, it breaks > tcp/ip and error conditions". However, I am still interested in how > likely an organization is to try something like this for both > legitimate and illegitimate purposes. > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ [EMAIL PROTECTED] - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/