'Re: Off by one in ICMP distance calculation?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nmap-dev
Subject:    Re: Off by one in ICMP distance calculation?
From:       "Luis MartinGarcia." <luis.mgarc () gmail ! com>
Date:       2011-09-30 10:00:05
Message-ID: 4E859325.7020207 () gmail ! com
[Download RAW message or body]

On 09/15/2011 06:48 PM, David Fifield wrote:
> During OS detection, we calculate distance by subtracting the
> encapsulated TTL in an ICMP error reply from the TTL we set originally
> when sending the probe:
> /* Count hop count */
> if (hss->distance == -1) {
> hss->distance = this->udpttl - ip2->ip_ttl;
> }
> I think this is off by one: it reports one less than the actual
> distance. I added this debugging line:
> log_write(LOG_PLAIN, "TTL distance: %d - %d == %d\n", this->udpttl, ip2->ip_ttl, \
> this->udpttl - ip2->ip_ttl); and I tried running with traceroute. Here's a remote \
> host: TTL distance: 56 - 46 == 10
> Network Distance: 11 hops
> TRACEROUTE (using port 53/tcp)
> HOP RTT      ADDRESS
> 1   6.11 ms  192.168.0.1
> ...
> 9   29.23 ms 10gigabitethernet1-1.core1.fmt1.he.net (72.52.92.109)
> 10  14.23 ms linode-llc.10gigabitethernet2-3.core1.fmt1.he.net (64.62.250.6)
> 11  17.00 ms li86-221.members.linode.com (74.207.244.221)
> and here's a directly connected host:
> TTL distance: 61 - 61 == 0
> Network Distance: 1 hop
> TRACEROUTE
> HOP RTT     ADDRESS
> 1   0.23 ms 192.168.0.3
> 
> Directly connected hosts are already treated as a special case and set
> to distance 1, so you would only notice the discrepancy against
> multiple-hop hosts.
> 
> Does anyone else agree that this is off by one?
> 

Hi!

In my opinion it  depends on the definition of network distance. If we
only mean the number of intermediate devices between the sender and the
receiver, then the SENT_TTL - RECV_TTL throws the correct value.
However, I don't think the distance should be defined like that. In
real-world when someone asks how far is some tube station and I tell
them it's three stops away, that means you get the tube in station A,
you pass B and C until you get to D. In network communications B and C
would be routers and the TTL would be decremented only twice, not three
times. Therefore:

A[TTL 255] --> B [TTL 254] --> C [TTL 253] --> D   ::
Distance=255-253=2?  Wrong, It should be 3.

So yeah, I agree that its and off by one bug. Plus, if we do
{distance=SENT_TTL - RCVD_TTL + 1} then the directly connected is not a
special case and can be reliably distinguished from the scenario where
there is one router in the middle.

Just my two cents. Regards,

Luis.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

[prev in list] [next in list] [prev in thread] [next in thread] 