Unfortunately (?), it is extremely common for traceroutes to differ greatly in opposite directions. This is due both to:Quote:
Originally posted here by ammo
It might be interesting to see how many hops (TTL diffs) the guys at your ISP get if they ping you. If the "conspiracy theory" is true, I would bet the eavesdropper is filtering connections from the ISP "managment" (techs and admins computers) so his box doesn't show up to them.
However I doubt he would have hacked the kernel to not decrease the TTL values from ip packets. Thus inspecting TTLs from packets comming from the ISP could reveal the attacker's presence to the ISP techs.
- routes between different IPs (the source and destination) tend to be different and thusly assymetric
- at best (ie. symettric routes) you tend to be looking at two different sides of a dual-homed router and the reply you get will be based on the source that you would see (can someone help me phrase that better?)
In short, assume you have a very simple network (apologies if I blow this, I'm typing this "blind," etc, in hopes of trying to explain what's going on here):
Code:Server - 192.168.3.2
|
Router A (e0) - 192.168.3.1
Router A (s0) - 192.168.2.254
|
[serial line]
|
Router B (s0) - 192.168.2.1
Router B (e0) - 192.168.1.1
|
My Host - 192.168.1.2
Now here, you have four systems... we want to go from the bottom to the top (our host to the server). <edit>Our networks, for clarification, are:
<edit>
LOCAL LAN: 192.168.1.0/24 (that's 192.168.1.0 - 192.168.1.255)
SERIAL LINK (t1): 192.168.2.0/24 (that's 192.168.2.0 - 192.168.2.255)
REMOTE LAN: 192.168.3.0/24 (that's 192.168.3.0 - 192.168.3.255)
</edit>
If we traceroute from our host, assuming UDP/ICMP are completely open, we should get responses from:
192.168.1.2
192.168.1.1
192.168.2.254
192.168.3.2
But if we get on the server, we'll get responses from:
192.168.3.2
192.168.3.1
192.168.2.1
192.168.1.2
...but yet the routes are said to be symettric because they follow the same path out and back.
Now, if we extend that one step further, your local network is xxx.xxx.xxx.0/24, the serial line (the "taps" as we say) could be 10.0.0.0/24 (10.0.0.0 - 10.0.0.255) and the hop on the other side of it yyy.yyy.yyy.yyy. Make a little more sense?
Helpdesk people can usually not even tell you what type of router a particular system is, let alone that it even exists.Quote:
I gotta say though that the eavesdropper theory sounds unprobable to me, but if you say that your ISP knows noting of such an host on their network I'd probably get suspicious too...
I wouldn't doubt there's a "tap" there somewhere... most semi-curious ISPs will likely run some sort of NIDS system, though possibly a bit primitive (the more advanced ones tend to not be that easy to setup, let alone maintain as compromises and attacks are formulated). But they do normally do dumb/primitive things... like trying to make sure that people from unauthorized hosts aren't trying to probe or login to their routers.
