-
February 11th, 2005, 07:49 AM
#1
Member
Really weird
It all started with a windows cookie cutter tool vs. CLI linux battle over superiority. I decided to show a buddy of mine just how much you can do from the command line. I showed him the virtues of hping2 mostly.
As I was showing him how to test if a server is load balanced by looking at the IPID #'s something strange happend.
I was originally issuing the command:
Code:
hping2 -G -S -p 80 www.ebay.com >> /tmp/weirdshit ; sleep 5 ; traceroute www.ebay.com >> /tmp/weirdshit
well, its not verbatim, but you get the point, moving on...
heres the output I got. Now I'm curious as to why in the world the record route (-G) from the hping output puts me through the 10.6,10.8,10.5, etc. addresses, then when the traceroute goes off its totally different! Dont worry guys, my public IP is not visible, the closest you can get is the neigborhood node (66.135.*). I know for a fact that the 10.244.32.1 address is my cable modem (see it next to my 192.168 in one RR). Sooo...
I went ahead and tracerouted to the 10.8,6,5 etc figuring they were just private ip's within att's network and on the UDP traceroute they come out to be 18 hops away off the att network!
Heres the (almost) complete output.
Code:
HPING www.ebay.com (eth0 66.135.192.88): S set, 40 headers + 0 data bytes
len=84 ip=66.135.192.88 ttl=108 DF id=19439 sport=80 flags=SA seq=1 win=16616 rtt=130.5 ms
RR: 10.6.105.7
10.6.1.106
66.135.207.70
157.130.209.22
137.39.4.250
137.39.4.84
137.39.3.237
204.255.174.173
12.123.13.69
len=84 ip=66.135.192.88 ttl=108 DF id=44620 sport=80 flags=SA seq=4 win=16616 rtt=146.3 ms
RR: 10.6.105.7
10.6.1.74
66.135.207.206
157.130.209.22
137.39.4.250
137.39.4.83
137.39.3.236
204.255.174.173
12.123.13.69
len=84 ip=66.135.192.88 ttl=108 DF id=15776 sport=80 flags=SA seq=5 win=16616 rtt=265.8 ms
RR: 10.6.105.7
10.6.1.102
66.135.207.230
157.130.209.22
137.39.4.250
137.39.4.83
137.39.3.236
204.255.174.173
12.123.13.69
len=84 ip=66.135.192.88 ttl=108 DF id=49924 sport=80 flags=SA seq=6 win=16616 rtt=163.8 ms
RR: 10.6.105.7
10.6.1.78
66.135.207.94
157.130.209.22
137.39.4.250
137.39.4.83
137.39.3.236
204.255.174.173
12.123.13.69
len=84 ip=66.135.192.88 ttl=108 DF id=46508 sport=80 flags=SA seq=7 win=16616 rtt=156.8 ms
RR: 10.6.105.7
10.6.1.98
66.135.207.214
157.130.209.22
137.39.4.250
137.39.4.84
137.39.3.237
204.255.174.173
12.123.13.69
len=84 ip=66.135.192.88 ttl=108 DF id=53063 sport=80 flags=SA seq=9 win=16616 rtt=3029.6 ms
RR: 10.6.105.7
10.6.1.102
66.135.207.222
157.130.209.22
137.39.4.250
137.39.4.84
137.39.3.237
204.255.174.173
12.123.13.69
len=84 ip=66.135.208.101 ttl=106 DF id=37846 sport=80 flags=SA seq=0 win=16616 rtt=140.6 ms
RR: 10.8.1.74
66.135.223.214
144.223.252.130
144.232.20.19
144.232.20.180
144.232.3.217
144.232.9.241
144.232.9.205
12.123.13.194
len=84 ip=66.135.208.101 ttl=105 DF id=38388 sport=80 flags=SA seq=1 win=16616 rtt=124.6 ms
RR: 10.8.1.106
66.135.223.86
144.223.252.6
144.232.29.129
144.232.20.19
144.232.20.180
144.232.3.217
144.232.9.241
144.232.9.205
len=84 ip=66.135.208.101 ttl=106 DF id=460 sport=80 flags=SA seq=2 win=16616 rtt=142.4 ms
RR: 10.8.105.18
10.8.1.70
66.135.223.230
144.223.252.130
144.232.20.19
144.232.20.180
144.232.3.217
144.232.9.241
144.232.9.205
DUP! len=84 ip=66.135.208.101 ttl=105 DF id=39863 sport=80 flags=SA seq=0 win=16616 rtt=4362.4 ms
RR: 10.8.1.78
66.135.223.222
144.223.252.6
144.232.29.129
144.232.20.19
144.232.20.180
144.232.3.217
144.232.9.241
144.232.9.205
len=84 ip=66.135.208.101 ttl=106 DF id=916 sport=80 flags=SA seq=3 win=16616 rtt=1411.9 ms
RR: 10.8.105.18
10.8.1.102
66.135.223.94
144.223.252.130
144.232.20.19
144.232.20.180
144.232.3.217
144.232.9.241
144.232.9.205
DUP! len=84 ip=66.135.208.101 ttl=105 DF id=40895 sport=80 flags=SA seq=1 win=16616 rtt=3494.2 ms
RR: 10.8.1.110
66.135.223.78
144.223.252.6
144.232.29.129
144.232.20.19
144.232.20.180
144.232.3.217
144.232.9.241
144.232.9.205
len=84 ip=66.135.192.88 ttl=108 DF id=29069 sport=80 flags=SA seq=8 win=16616 rtt=9080.3 ms
RR: 10.6.105.7
10.6.1.74
66.135.207.70
157.130.209.22
137.39.4.250
137.39.4.83
137.39.3.236
204.255.174.173
12.123.13.69
Traceroute to ebay:
1 192.168.1.1 (192.168.1.1) 37.681 ms 28.050 ms 26.270 ms
2 10.244.32.1 (10.244.32.1) 48.218 ms 42.265 ms 57.027 ms
3 68.87.165.213 (68.87.165.213) 43.639 ms 42.305 ms 44.143 ms
4 68.87.165.41 (68.87.165.41) 39.045 ms 28.299 ms 45.850 ms
5 68.87.165.37 (68.87.165.37) 33.368 ms 33.145 ms 43.746 ms
6 12.124.91.5 (12.124.91.5) 72.129 ms 36.749 ms 48.773 ms
7 gbr2-p60.ormfl.ip.att.net (12.123.32.157) 30.166 ms 48.591 ms 33.717 ms
8 gbr3-p80.ormfl.ip.att.net (12.122.5.129) 32.790 ms 41.076 ms 40.062 ms
9 tbr2-p012701.hs1tx.ip.att.net (12.122.12.165) 42.164 ms 43.321 ms 38.831 ms
10 tbr1-cl1.dlstx.ip.att.net (12.122.10.129) 42.518 ms 40.674 ms 78.210 ms
11 ggr2-p300.dlstx.ip.att.net (12.123.17.81) 51.416 ms 175.786 ms 236.295 ms
12 att-gw.dfw.level3.net (192.205.32.114) 44.030 ms 53.141 ms 44.068 ms
13 so-1-2-0.bbr2.Dallas1.Level3.net (209.244.15.165) 42.947 ms 47.209 ms 45.114 ms
14 so-2-0-0.mpls1.Sacramento1.Level3.net (209.247.8.78) 93.545 ms 84.795 ms 110.123 ms
15 so-10-0.hsa1.Sacremento1.Level3.net (4.68.113.58) 83.037 ms 82.813 ms 82.536 ms
16 * * *
17 * * *
18 * * *
19 * * *
Traceroute to one of the "close" 10 addresses:
1 192.168.1.1 (192.168.1.1) 2061.859 ms 21.535 ms 59.507 ms
2 10.244.32.1 (10.244.32.1) 57.556 ms 34.871 ms 34.351 ms
3 68.87.165.213 (68.87.165.213) 29.287 ms 34.626 ms 33.420 ms
4 68.87.165.41 (68.87.165.41) 43.963 ms 43.355 ms 35.603 ms
5 68.87.165.37 (68.87.165.37) 60.645 ms 33.749 ms 42.323 ms
6 12.124.91.5 (12.124.91.5) 40.779 ms 40.324 ms 46.821 ms
7 gbr1-p60.ormfl.ip.att.net (12.123.32.153) 35.693 ms 43.038 ms 37.233 ms
8 gbr3-p70.ormfl.ip.att.net (12.122.5.121) 40.255 ms 44.350 ms 22.841 ms
9 tbr2-p013702.hs1tx.ip.att.net (12.122.4.101) 59.093 ms 46.965 ms 42.521 ms
10 tbr1-cl1.dlstx.ip.att.net (12.122.10.129) 42.546 ms 44.902 ms 45.343 ms
11 tbr2-p013601.dlstx.ip.att.net (12.122.9.162) 55.041 ms 42.761 ms 41.909 ms
12 tbr2-cl6.sl9mo.ip.att.net (12.122.10.89) 58.917 ms 55.456 ms 81.842 ms
13 gbr5-p20.sl9mo.ip.att.net (12.122.11.122) 55.481 ms 56.894 ms 55.507 ms
14 gar3-p360.sl9mo.ip.att.net (12.123.25.25) 54.146 ms 56.421 ms 57.598 ms
15 12-220-0-41.client.insightBB.com (12.220.0.41) 62.598 ms 65.570 ms 63.884 ms
16 12-220-1-197.client.insightBB.com (12.220.1.197) 70.110 ms 69.902 ms 66.582 ms
17 12-220-1-113.client.insightBB.com (12.220.1.113) 70.611 ms 69.961 ms 70.542 ms
18 * * *
19 10.6.105.7 (10.6.105.7) 121.702 ms 122.920 ms 118.042 ms
Me's lost? maybe some of you all could give me some insight? This really intrigues me! Could it be some type of geographical load balancing for the web requests but the UDP oriented traceroute goes towards their domain across the nation from me? Are by bids being redirected to a supercluster for bid snipers? I'm lost here, kinda...
edit! Ok, now I'm throughly confused. I've tried the same hping command to a few different sites (10) out of all of them the -G matches the path the traceroute takes. However on 4 of the tries, it didnt return any packets whatsoever.
edit 2,
did a little more digging, now I'm throughly confused...
command:
output. Now I understand that you can only go so far on the record route option due to the IP headers limited length. I'm also pretty sure that the TCP gets caught up in queues which is why the long paratrace, but to be jumping off my network (comcast > attbi > internet) directly into a 10.* private network that according to traceroute is 18 hops away while doing the hping2 command has me confused. Well, I just noticed its 5am here, so I have to go get some sleep.
Code:
HPING www.ebay.com (eth0 66.135.208.88): S set, 40 headers + 0 data bytes
len=84 ip=66.135.208.88 ttl=104 DF id=24372 sport=80 flags=SA seq=0 win=16616 rtt=127.6 ms
RR: 10.8.1.66
66.135.223.214
144.223.252.6
144.232.29.129
144.232.20.19
144.232.20.180
144.232.3.202
144.232.20.58
144.232.9.205
HPING www.ebay.com (eth0 66.135.192.88): S set, 40 headers + 0 data bytes
Paratrace output:
UP: *.*.*.*:80 [22] 0.629s
001 = 192.168.1.1|80 [01] 0.706s( 192.168.1.102 -> 66.135.192.87 )
002 = 10.244.32.1|80 [02] 0.747s( 192.168.1.102 -> 66.135.192.87 )
003 = 68.87.165.213|80 [03] 0.784s( 192.168.1.102 -> 66.135.192.87 )
004 = 68.87.165.41|80 [04] 0.831s( 192.168.1.102 -> 66.135.192.87 )
005 = 68.87.165.37|80 [05] 0.873s( 192.168.1.102 -> 66.135.192.87 )
006 = 12.124.91.5|80 [06] 0.924s( 192.168.1.102 -> 66.135.192.87 )
007 = 12.123.32.157|80 [07] 0.968s( 192.168.1.102 -> 66.135.192.87 )
008 = 12.122.5.133|80 [08] 0.987s( 192.168.1.102 -> 66.135.192.87 )
010 = 12.122.12.30|80 [10] 1.050s( 192.168.1.102 -> 66.135.192.87 )
011 = 204.255.174.149|80 [11] 1.078s( 192.168.1.102 -> 66.135.192.87 )
009 = 12.122.2.129|80 [10] 1.141s( 192.168.1.102 -> 66.135.192.87 )
012 = 152.63.82.198|80 [13] 1.372s( 192.168.1.102 -> 66.135.192.87 )
013 = 152.63.10.102|80 [14] 1.394s( 192.168.1.102 -> 66.135.192.87 )
015 = 152.63.48.90|80 [18] 1.451s( 192.168.1.102 -> 66.135.192.87 )
017 = 157.130.209.22|80 [19] 1.481s( 192.168.1.102 -> 66.135.192.87 )
014 = 152.63.1.33|80 [18] 1.532s( 192.168.1.102 -> 66.135.192.87 )
016 = 152.63.56.253|80 [19] 1.586s( 192.168.1.102 -> 66.135.192.87 )
018 = 66.135.207.170|80 [20] 1.632s( 192.168.1.102 -> 66.135.192.87 )
edit 3, ok, last one of the night. I actually had to get out of bed and do this one last one! I'm such a fuggin geek! I thought it might be something with DNS pointing to different servers, so I ran the same commands against the numerics. It gave me the same results???!!!??
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|