|
-
June 26th, 2002, 08:07 AM
#21
Originally posted here by ammo
It might be interesting to see how many hops (TTL diffs) the guys at your ISP get if they ping you. If the "conspiracy theory" is true, I would bet the eavesdropper is filtering connections from the ISP "managment" (techs and admins computers) so his box doesn't show up to them.
However I doubt he would have hacked the kernel to not decrease the TTL values from ip packets. Thus inspecting TTLs from packets comming from the ISP could reveal the attacker's presence to the ISP techs.
Unfortunately (?), it is extremely common for traceroutes to differ greatly in opposite directions. This is due both to:
- routes between different IPs (the source and destination) tend to be different and thusly assymetric
- at best (ie. symettric routes) you tend to be looking at two different sides of a dual-homed router and the reply you get will be based on the source that you would see (can someone help me phrase that better?)
In short, assume you have a very simple network (apologies if I blow this, I'm typing this "blind," etc, in hopes of trying to explain what's going on here):
Code:
Server - 192.168.3.2
|
Router A (e0) - 192.168.3.1
Router A (s0) - 192.168.2.254
|
[serial line]
|
Router B (s0) - 192.168.2.1
Router B (e0) - 192.168.1.1
|
My Host - 192.168.1.2
Now here, you have four systems... we want to go from the bottom to the top (our host to the server). <edit>Our networks, for clarification, are:
<edit>
LOCAL LAN: 192.168.1.0/24 (that's 192.168.1.0 - 192.168.1.255)
SERIAL LINK (t1): 192.168.2.0/24 (that's 192.168.2.0 - 192.168.2.255)
REMOTE LAN: 192.168.3.0/24 (that's 192.168.3.0 - 192.168.3.255)
</edit>
If we traceroute from our host, assuming UDP/ICMP are completely open, we should get responses from:
192.168.1.2
192.168.1.1
192.168.2.254
192.168.3.2
But if we get on the server, we'll get responses from:
192.168.3.2
192.168.3.1
192.168.2.1
192.168.1.2
...but yet the routes are said to be symettric because they follow the same path out and back.
Now, if we extend that one step further, your local network is xxx.xxx.xxx.0/24, the serial line (the "taps" as we say) could be 10.0.0.0/24 (10.0.0.0 - 10.0.0.255) and the hop on the other side of it yyy.yyy.yyy.yyy. Make a little more sense?
I gotta say though that the eavesdropper theory sounds unprobable to me, but if you say that your ISP knows noting of such an host on their network I'd probably get suspicious too...
Helpdesk people can usually not even tell you what type of router a particular system is, let alone that it even exists.
I wouldn't doubt there's a "tap" there somewhere... most semi-curious ISPs will likely run some sort of NIDS system, though possibly a bit primitive (the more advanced ones tend to not be that easy to setup, let alone maintain as compromises and attacks are formulated). But they do normally do dumb/primitive things... like trying to make sure that people from unauthorized hosts aren't trying to probe or login to their routers.
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
-
June 26th, 2002, 02:44 PM
#22
>> Mirroring can also be kind of "expensive" on a busy switch and can lead to serious >>problems/issues, so I'd personally not recommend it.
I wouldn't recommend trying to mirror every port on a very busy switch, but I have seen multiple ports mirrored to multiple other ports (on connections between internet routes/internet firewalls) with zero side effects on a cisco 3500 series switch. The key is to make sure you are not having mirror 1000 ports to one port, then you could have major problems, but if you chose to do it at choke points (entry ways into a network), you can get away with mirroring one port and the load difference isn't all that noticeable (I have seen this work at speeds up to 60Mb/s (realistic speed of a 100Mb cat 5 ethernet) with no problem and it may work at higher speeds, I just haven't been privelaged enough to play with gig-e all that often yet)...
Just a thought...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
June 26th, 2002, 03:06 PM
#23
aah.. your right draziw, I guess I let myself get caught in the conspiracy thing  (Guilty of PWS: posting while sleepy...)
Great explications though!
Ammo
Credit travels up, blame travels down -- The Boss
-
June 26th, 2002, 04:41 PM
#24
Member
I have optimum online, and i also get that 10.x.x.x IP address as my first ip address after my router. I do not know what it is, but i am starting to get annoyed because it is always doing port scans on me >
-
June 26th, 2002, 07:07 PM
#25
Don't worry about that kind of tap, the government can use a normal phone tab, then record the sounds on the line (those nasty modem screaches) and put it through a program that can partially piece together what is going on.
You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
