funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
 ·Verizon Online DSL
 ·Skype
1 edit | reply to funchords
Re: Comcast is using Sandvine to manage P2P Connections
I just ran a test and found something interesting. When looking at the injected RST packets, check out the TTL!
During my test, I had 18 injected RSTs (not counting duplicates, since there are usually two). What was interesting is that they all had a TTL of 123 -- a TTL that was several hops away either me or my peer! The perfect forgery is not so perfect!
So, let's find out what lives at TTL=123 (TTL is decremented before the facing side of each hop)
Now "123" is not a magic number. That means that I'm 5 (128 - 5 = 123) hops away from the device that is interfering with me.
I'm not sure this information is useful, but it sure is interesting!
Edit: Another user forwarded his Wireshark capture to me. The TTL phenomena doesn't hold true for him, unfortunately.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report. |
|
jig
join:2001-01-05
Hacienda Heights, CA | it means you have something to filter against rather than just all rst packets |
|
Kandango
@comcast.net | reply to funchords
Interesting that in TTL=123 (12.118.177.49) is an ATT Ip Adress. "AT&T WorldNet Services ATT". Isn't Comcast and ATT merged as far as the net? Funchords how did you see that your RST packets had a TTL of 123, i have wireshark installed. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
1 edit | said by Kandango :
Interesting that in TTL=123 (12.118.177.49) is an ATT Ip Adress. "AT&T WorldNet Services ATT". Isn't Comcast and ATT merged as far as the net? Funchords how did you see that your RST packets had a TTL of 123, i have wireshark installed.
AT&T Worldnet Services is not the same thing as the old AT&T Broadband Internet. ATTBI was spun off from the AT&T mothership, and became Comcast[1]. But AT&T Worldnet Services was part of the old AT&T, and remained independent of Comcast. In fact, AT&T Worldnet Services was part of the AT&T which was bought by SBC in 2006; and is currently still called AT&T.
[1] Somewhere I got the idea that ATTBI bought Comcast.
»www.corp.att.com/news/2002/11/18-11087
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
1 edit | reply to Kandango
said by Kandango :
Funchords how did you see that your RST packets had a TTL of 123, i have wireshark installed.
Expand the "IP" section (above the TCP section), the TTL appears there. |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
1 edit | reply to Kandango
said by Kandango :
Interesting that in TTL=123 (12.118.177.49) is an ATT Ip Adress. "AT&T WorldNet Services ATT". That's not necessarily where the box is, but it could be.
If it's not a router, it shouldn't decrement TTL. So TTL=123 includes the non-facing side of the router with a TTL=124, the facing side of the router with a TTL=123, and anything in between.
As a practical matter, it also includes any added technology at either router, such as a Sandvine P2P Policy Management (PPE 8200).
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
Are you affected by Comcast's RST forging? How to test it! -or- Read my original report. |
|
