On Wed, Jan 07, 2004 at 02:04:36PM -0500, John A. Sullivan III wrote: > Thank you very much but could you please explain this a bit more. Oskar > Andreasson's tutorial explicitly mentions doing this, i.e., incrementing > TTL and we thought it was a good idea. We certainly want to change our > ways if this is dangerous. Here is the excerpt from the tutorial: Well, as indicated in my last emai: 1) it is dangerous to increment the TTL 2) still, there are vallid uses. In gerneral, incrementing packets heading towards your internal network shouldn't be a problem. If people want to hide their internal network structure from traceroute, they have two options: a) drop all packets that have a ttl < number_of_hops_in_internal_net b) increment the TTL by number_of_hops_in_internal_net Both ways make sure that the TTL never expires on a router in the internal network. Where 'a' would interrupt traffic, and 'b' would make sure traffic passes. Also, sometimes ISP's try to detect if you are running a router/gateway behind your DSL line by checking for well-known TTL values. In this case, setting the TTL The most dangerous cases of incrementing the TTL are: a) incrementing the TTL of transit traffic (not close to sender or receiver) b) incrementing the TTL of multicast traffic > John A. Sullivan III -- - Harald Welte http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie