[364] in linux-security and linux-alert archive
source routing
daemon@ATHENA.MIT.EDU (Linas Vepstas)
Sun Sep 17 12:22:30 1995
From: Linas Vepstas <linas@teleportal.com>
Date: Sat, 16 Sep 95 14:57:36 -500
To: linux-security@tarsier.cv.nrao.edu, linas@teleportal.com
Hi,
This is a kind of newbie question, but ...
in /var/adm/messages, I am starting
to see a whole bunch of messages such as
kernel: ICMP: 143.166.213.152: Source Route Failed
Why? what do these messages mean?
I did a traceroute 143.166.213.152 and note that
traceroute starts reporting an "infinite loop" at
some point (typically 20 or more hops away). By
"infinite loop" I mean that the same router starts
showing up over and over again, with no appearent
forward progress of the packet. What does this
mean??
Finally -- the route taken appears to be very odd.
I live in Austin, Texas, yet here is part of the
packets path
4 Aus1-t1/s0.hou1.tlc.net (204.157.152.2) 33.878 ms 37.229 ms 33.752 ms
5 net99-hous-1-s0/T1.net99.net (204.157.1.69) 40.499 ms 35.704 ms 34.084 ms
6 mae-e-dc-1.Net99.Net (204.157.0.133) 78.716 ms 85.111 ms 91.283 ms
7 cpe2.Washington.mci.net (192.41.177.181) 89.399 ms 84.709 ms 85.065 ms
8 border2-hssi4-0.Washington.mci.net (204.70.57.9) 102.276 ms 95.192 ms 83.993 ms
9 core-fddi-1.Washington.mci.net (204.70.3.1) 104.727 ms 87.206 ms 90.597 ms
10 core2-aip-4.Washington.mci.net (204.70.1.74) 148.77 ms 178.611 ms 232.062 ms
11 core1-hssi-3.Greensborough.mci.net (204.70.1.129) 111.588 ms 104.393 ms 97.474 ms
12 core2-hssi-3.Atlanta.mci.net (204.70.1.125) 135.659 ms * 102.321 ms
13 core1-hssi-2.Dallas.mci.net (204.70.1.114) 121.311 ms 123.483 ms 140.983 ms
14 core-hssi-3.Houston.mci.net (204.70.1.122) 153.733 ms 149.494 ms 152.808 ms
15 border1-fddi-0.Houston.mci.net (204.70.2.98) 152.357 ms 150.209 ms 143.97 ms
16 * sesquinet.Houston.mci.net (204.70.36.6) 129.659 ms 148.644 ms
17 HOU4-F0.SESQUI.NET (192.67.13.89) 158.969 ms 170.033 ms 151.709 ms
18 HOU1-F20.SESQUI.NET (128.241.200.81) 149.937 ms 165.028 ms 152.638 ms
19 AU1-S1.SESQUI.NET (128.241.9.130) 164.5 ms 155.816 ms 157.871 ms
20 DELL-S0.SESQUI.NET (128.241.4.162) 161.604 ms 179.101 ms 191.744 ms
Now, I'm wildly guessing that DELL-S0 is a machine in
Austin Texas, home of Dell computer. And I'm wildly
guessing that AU1-S1 is in Austin as well. And that
HOU1-F20 is in Houston, Texas. And, with some more
guessing, my packets went through Dallas, TX,
Greensborough, North Carolina, Atlanta Georgia, and
Washington DC.
So it would seem my packets left austin, went to houston,
bounced around the country for a while, and
finally came back to austin via houston. (Is that
why my internet provider charges those fees?)
Seriously, though -- should I assume that someone
has a packet sniffer installed on one of these
machines, and is listening to everything I say?
Should I be worried for any reason? Should I be
disabling something in my kernel? Is this what
happens when you don't ignore ICMP redirect messages?
Inquiring minds want to know ...
--linas
