 funchordsHelloPremium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:5
1 edit | reply to funchords
Re: Comcast is using Sandvine to manage P2P ConnectionsI just ran a test and found something interesting. When looking at the injected RST packets, check out the TTL!
During my test, I had 18 injected RSTs (not counting duplicates, since there are usually two). What was interesting is that they all had a TTL of 123 -- a TTL that was several hops away either me or my peer! The perfect forgery is not so perfect!
So, let's find out what lives at TTL=123 (TTL is decremented before the facing side of each hop)
Tracing route to XXX.XXX.XXX.XXX
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.177.251 (TTL=127)
2 * * * Request timed out. (TTL=126)
3 9 ms 9 ms 9 ms GE-1-11-ur03.beaverton.or.bverton.comcast.net [68.87.218.89] (TTL=125)
4 8 ms * * te-9-2-ar01.beaverton.or.bverton.comcast.net [68.87.216.29] (*** TTL=124 ***)
---- the responsible device is here, either attached to or between the above and below device ----
5 15 ms 23 ms 11 ms 12.118.177.49 (*** TTL=123 ***}
6 14 ms 12 ms 11 ms 12.123.44.114
7 13 ms 36 ms 14 ms tbr1.st6wa.ip.att.net [12.122.12.157]
8 14 ms 11 ms 11 ms 12.127.6.57
.
.
.
Now "123" is not a magic number. That means that I'm 5 (128 - 5 = 123) hops away from the device that is interfering with me.
I'm not sure this information is useful, but it sure is interesting!
Edit: Another user forwarded his Wireshark capture to me. The TTL phenomena doesn't hold true for him, unfortunately.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report. |
|
|
|
 jig
join:2001-01-05
Hacienda Heights, CA | it means you have something to filter against rather than just all rst packets |
|
| reply to funchords
Interesting that in TTL=123 (12.118.177.49) is an ATT Ip Adress. "AT&T WorldNet Services ATT". Isn't Comcast and ATT merged as far as the net? Funchords how did you see that your RST packets had a TTL of 123, i have wireshark installed. |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:4 Reviews:
 ·SONIC.NET
·Pacific Bell - SBC
1 edit | said by Kandango :
Interesting that in TTL=123 (12.118.177.49) is an ATT Ip Adress. "AT&T WorldNet Services ATT". Isn't Comcast and ATT merged as far as the net? Funchords how did you see that your RST packets had a TTL of 123, i have wireshark installed.
AT&T Worldnet Services is not the same thing as the old AT&T Broadband Internet. ATTBI was spun off from the AT&T mothership, and became Comcast[1]. But AT&T Worldnet Services was part of the old AT&T, and remained independent of Comcast. In fact, AT&T Worldnet Services was part of the AT&T which was bought by SBC in 2006; and is currently still called AT&T.
[1] Somewhere I got the idea that ATTBI bought Comcast.
»www.corp.att.com/news/2002/11/18-11087
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
funchordsHelloPremium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:5
1 edit | reply to Kandango
said by Kandango :
Funchords how did you see that your RST packets had a TTL of 123, i have wireshark installed.
Expand the "IP" section (above the TCP section), the TTL appears there. |
|
funchordsHelloPremium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:5
1 edit | reply to Kandango
said by Kandango :
Interesting that in TTL=123 (12.118.177.49) is an ATT Ip Adress. "AT&T WorldNet Services ATT". That's not necessarily where the box is, but it could be.
If it's not a router, it shouldn't decrement TTL. So TTL=123 includes the non-facing side of the router with a TTL=124, the facing side of the router with a TTL=123, and anything in between.
As a practical matter, it also includes any added technology at either router, such as a Sandvine P2P Policy Management (PPE 8200).
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report. |
|
