Hosting Provided By

RE: Net forensics question

From: Jonathan A. Zdziarski <jonathan(at)networkdweebs.com>
Date: Mon May 26 2003 - 11:51:54 EDT

> What would explain the following scenario

With just those four tests to go on, I would start thinking that the address you are analyzing is either spoofed or no longer online. A traceroute that bounces between two hosts is usually a sign of a routing loop as a result of the destination host being down. This was more prevalent ten years ago, but I still see them today periodically. DNS information (as well as a ping -a) completely relies on the authoritative server for the address space, so I would find out who the particular network belongs to and contact them. A whois on arin.net's servers (or some other registry) ought to give you some contact information. Finally, ping timeouts... are you certain that the reply you're receiving back is actually from the host? If you increase your TTL in a traceroute, do you finally get somewhere? It could in fact be coming from one of the routers in the loops if your TTL is expiring in transit.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon May 26 14:56:10 2003

This message: [ Message body ]
Next message: SecurIT Informatique Inc.: "Three new tools related to IDS, forensics, honeypots"
Previous message: Myke Place: "Re: Net forensics question"
In reply to Burnette, Michael: "Net forensics question"
Next in thread: Jimi Thompson: "RE: Net forensics question"
Reply: Jimi Thompson: "RE: Net forensics question"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT