JDoors Posted October 16, 2005 Report Share Posted October 16, 2005 Occasionally I open my firewall and check who's been trying to get in to my system. If I see an unusual address (say, from Russia), out of curiosity I trace it. MOST times the trace takes place quickly, occasionally it has to "ping" several nodes before it finds the culprit, and sometimes it has to ping up to twenty nodes. So I see an unusual address (the "nt.net" part got me curious), trace it, and it's taking a long time. I look at the "nodes" count and it's past twenty, then thirty, then forty, THEN FIFTY, THEN SIXTY -- And it's still going! All this for some guy in Canada? I don't think so. Russia, China and Taiwan for example rarely pass through 20 nodes. Here's the display:So is this some guy some kind of rerouting genius, or is this just an unusual quirk? Quote Link to post Share on other sites
TheTerrorist_75 Posted October 16, 2005 Report Share Posted October 16, 2005 (edited) You could definitely get dizzy tracing that.traceroute to 207.35.163.144 (207.35.163.144), 30 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 so2-2-2.jr1.phx1.llnw.net (69.28.139.245) 16.600 ms 5 agg1-6-1.ar1.phx1.llnw.net (69.28.172.230) 20.506 ms 6 so1-15-2.ar1.sjc.llnw.net (69.28.172.249) 36.130 ms 7 agg1-31.fr1.sjc.llnw.net (69.28.148.217) 36.130 ms 8 rt0sj-equinix.cl.shawcable.net (206.223.116.20) 37.107 ms 9 rc2sj-pos0-0.cl.shawcable.net (66.163.67.10) 37.107 ms10 rc1ch-pos6-1.il.shawcable.net (66.163.76.125) 96.674 ms11 rc2sh-pos13-0.mt.shawcable.net (66.163.77.13) 110.345 ms12 ra1sh-ge4-1.mt.shawcable.net (66.163.66.18) 111.321 ms13 rx0sh-hydro-one-telecom.mt.bigpipeinc.com (66.244.223.246) 112.298 ms14 142.46.128.6 (142.46.128.6) 111.321 ms15 142.46.128.54 (142.46.128.54) 112.298 ms16 142.46.7.2 (142.46.7.2) 109.368 ms17 209NTL226-50-78.nt.net (209.226.50.78) 111.321 ms18 New-Liskeard-33.nt.net (209.226.51.33) 113.274 ms19 NL-Gateway.nt.net (209.226.51.3) 113.274 mstraceroute to 209.226.51.3 (209.226.51.3), 30 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 so2-2-2.jr1.phx1.llnw.net (69.28.139.245) 907.168 ms 5 agg1-6-1.ar1.phx1.llnw.net (69.28.172.230) 911.074 ms 6 so1-5-1.ar1.dal.llnw.net (69.28.172.245) 936.463 ms 7 so1-5-2.ar1.iad.llnw.net (69.28.172.241) 972.594 ms 8 ag1-21.fr1.iad.llnw.net (69.28.156.161) 972.594 ms 9 ashb.ge-0-1-0-5.bdr1.cirn.net (206.223.115.135) 998.960 ms10 * * *11 * * *12 * * *13 64.230.231.66 (64.230.231.66) 90.815 ms14 207-164-139-90.telebecinternet.com (207.164.139.90) 94.721 ms15 209NTL226-50-78.nt.net (209.226.50.78) 97.650 mstraceroute to 209.226.50.78 (209.226.50.78), 30 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 phv-edge-01.inet.qwest.net (65.121.93.133) 19.530 ms 5 tmp-core-02.inet.qwest.net (205.171.129.89) 21.483 ms 6 ewr-core-02.inet.qwest.net (205.171.8.206) 71.284 ms 7 ewr-brdr-01.inet.qwest.net (205.171.17.82) 72.261 ms 8 bx2-newyork83-pos11-0.in.bellnexxia.net (206.108.108.113) 72.261 ms 9 * * *10 * * *11 * * *12 * * *13 64.230.231.66 (64.230.231.66) 91.791 ms14 207-164-139-90.telebecinternet.com (207.164.139.90) 95.697 ms15 209NTL226-50-78.nt.net (209.226.50.78) 96.673 msIP Address Locater207.35.163.144Hearst, ON, CAWhois207.35.163.144 = [ HS163-144.nt.net ] OrgName: Bell Canada OrgID: LINX Address: City: Toronto StateProv: ON PostalCode: K1G-3J4 Country: CA NetRange: 207.35.0.0 - 207.35.255.255 CIDR: 207.35.0.0/16 NetName: GRICS01 NetHandle: NET-207-35-0-0-1 Parent: NET-207-0-0-0-0 NetType: Direct Allocation NameServer: NS1.BELLGLOBAL.COM NameServer: NS2.BELLGLOBAL.COM Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1996-01-23 Updated: 2000-05-26 TechHandle: PD135-ARIN TechName: Daoust Philippe TechPhone: 1-800-450-7771 TechEmail: [email protected] OrgTechHandle: SYSAD1-ARIN OrgTechName: Sys Admin OrgTechPhone: 1-800-565-0567 OrgTechEmail: [email protected] CustName: Northern Telephone Limited Address: PO Box 4000 City: New Liskeard StateProv: Ontario PostalCode: P0J 1P0 Country: CA RegDate: 2000-04-08 Updated: 2000-04-08 NetRange: 207.35.160.0 - 207.35.163.255 CIDR: 207.35.160.0/22 NetName: NRTHRNTL-CA NetHandle: NET-207-35-160-0-1 Parent: NET-207-35-0-0-1 NetType: Reassigned Comment: RegDate: 2000-04-08 Updated: 2000-04-08 TechHandle: PD135-ARIN TechName: Daoust Philippe TechPhone: 1-800-450-7771 TechEmail: [email protected] OrgTechHandle: SYSAD1-ARIN OrgTechName: Sys Admin OrgTechPhone: 1-800-565-0567 OrgTechEmail: [email protected]209.226.51.3 = [ NL-Gateway.nt.net ] OrgName: Bell Canada OrgID: LINX Address: City: Toronto StateProv: ON PostalCode: K1G-3J4 Country: CA NetRange: 209.226.0.0 - 209.226.255.255 CIDR: 209.226.0.0/16 NetName: BELLCANADA-3 NetHandle: NET-209-226-0-0-1 Parent: NET-209-0-0-0-0 NetType: Direct Allocation NameServer: NS3.BELLGLOBAL.COM NameServer: NS4.BELLGLOBAL.COM Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1998-04-28 Updated: 2000-05-26 TechHandle: PD135-ARIN TechName: Daoust Philippe TechPhone: 1-800-450-7771 TechEmail: [email protected] OrgTechHandle: SYSAD1-ARIN OrgTechName: Sys Admin OrgTechPhone: 1-800-565-0567 OrgTechEmail: [email protected] OrgName: Northern Telephone Limited OrgID: NTL-5 Address: 155 Avenue du Portage City: Rouyn-Noranda StateProv: Quebec PostalCode: J9X 5A8 Country: CA NetRange: 209.226.48.0 - 209.226.58.255 CIDR: 209.226.48.0/21 209.226.56.0/23 209.226.58.0/24 NetName: NTLTD99-CA NetHandle: NET-209-226-48-0-1 Parent: NET-209-226-0-0-1 NetType: Reassigned Comment: RegDate: 1999-06-28 Updated: 1999-06-28 TechHandle: MW70-ARIN TechName: Weir Michael TechPhone: 1-800-450-7771 TechEmail: [email protected] OrgTechHandle: MW70-ARIN OrgTechName: Weir Michael OrgTechPhone: 1-800-450-7771 OrgTechEmail: [email protected]209.226.50.78 = [ 209NTL226-50-78.nt.net ] OrgName: Bell Canada OrgID: LINX Address: City: Toronto StateProv: ON PostalCode: K1G-3J4 Country: CA NetRange: 209.226.0.0 - 209.226.255.255 CIDR: 209.226.0.0/16 NetName: BELLCANADA-3 NetHandle: NET-209-226-0-0-1 Parent: NET-209-0-0-0-0 NetType: Direct Allocation NameServer: NS3.BELLGLOBAL.COM NameServer: NS4.BELLGLOBAL.COM Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1998-04-28 Updated: 2000-05-26 TechHandle: PD135-ARIN TechName: Daoust Philippe TechPhone: 1-800-450-7771 TechEmail: [email protected] OrgTechHandle: SYSAD1-ARIN OrgTechName: Sys Admin OrgTechPhone: 1-800-565-0567 OrgTechEmail: [email protected] OrgName: Northern Telephone Limited OrgID: NTL-5 Address: 155 Avenue du Portage City: Rouyn-Noranda StateProv: Quebec PostalCode: J9X 5A8 Country: CA NetRange: 209.226.48.0 - 209.226.58.255 CIDR: 209.226.48.0/21 209.226.56.0/23 209.226.58.0/24 NetName: NTLTD99-CA NetHandle: NET-209-226-48-0-1 Parent: NET-209-226-0-0-1 NetType: Reassigned Comment: RegDate: 1999-06-28 Updated: 1999-06-28 TechHandle: MW70-ARIN TechName: Weir Michael TechPhone: 1-800-450-7771 TechEmail: [email protected] OrgTechHandle: MW70-ARIN OrgTechName: Weir Michael OrgTechPhone: 1-800-450-7771 OrgTechEmail: [email protected] Edited October 16, 2005 by TheTerrorist_75 Quote Link to post Share on other sites
blim Posted October 17, 2005 Report Share Posted October 17, 2005 *slaps forehead* Good grief, Terrorist, you got all that info from those green lines????? You amaze me.Jdoors, I do the same thing as you do with my Mcafee firewall, can't answer your question (perhaps Terrorist did, but his reply went waaayyyy over my head, still dizzy!!), but it sure is a fun toy, isn't it Liz Quote Link to post Share on other sites
hitest Posted October 17, 2005 Report Share Posted October 17, 2005 That trace route is interesting indeed. Do you suspect you've been hacked? I use a hardware firewall/router. Hopefully it'll be good enough to keep the bad guys out:-) Quote Link to post Share on other sites
JDoors Posted October 17, 2005 Author Report Share Posted October 17, 2005 (edited) You could definitely get dizzy tracing that.traceroute to 207.35.163.144 (207.35.163.144), 30 hops max, 40 byte packets 1Â * * * ...<{POST_SNAPBACK}>Holy cow! I rarely look at all the text information, I prefer the nice pretty maps instead. So it's probably some bored nutcase exercising his talent in a useless manner, right? Liz, the lower left corner of that display (not seen in my snapshot) shows what's happening during the trace. In layperson's terms it's: "I'm looking for where that came from ... OK, let's see if I get a response from that location ... now that one ... now that one ... OK, here's close to where it most likely came from." Usually it has to "look" at a few "nodes" which is sort of the big computers that distribute Internet traffic. So some guy in Moscow would connect to a local node, then a bigger one that distributes traffic among a larger area, then it goes to the bigger ones that distribute traffic worldwide, and then back down to a local node close to you, then your particular IP address. Morons use special tricks and codes to bounce the traffic around unecessary nodes to try and hide where the original signals comes from, hence in this case over 60 bounces. No traffic would normally have to go through 60 nodes to reach any computer anywhere in the world, so I suspected and it's probably confirmed that this guy is one of those morons. hitest, I'm not worried about having been hacked* as every test I've ever performed has shown my computer is completely "stealthed" to the Internet. Many tests simply say they can't test at all, that as far as the Internet is concerned my system does not exist, then they congratulate me on having excellent protection. I just occasionally like to see where attempts are coming from, and there's usually something new or interesting to learn from it (like this one, the first time I've ever seen that many nodes contacted). ONE QUESTION HOWEVER: I never know if pinging back that way "reveals" my IP address to them. I know, because I'm stealthed, they receive no confirmation that my IP address is in use when they try to contact my system, but does my ping to them contain my address? (Note: I've asked before but my brain must be full so I can't remember the answer.) I've never been bombarded by attempts after tracing so it doesn't appear they discover a live address, but that may be due to the scripts they use not having that feature. The scripts may just look for open ports and that's that, they may not "receive" information from pings then focus on that. Or pings don't reveal anything, I don't know.------* I understand however that anything I do, visiting sites, downloading files, etc. still contains risk 'cause I'm initiating contact. Edited October 17, 2005 by JDoors Quote Link to post Share on other sites
Vile_DR Posted October 17, 2005 Report Share Posted October 17, 2005 Pings to my understanding do not send any information from which they came. ICMP can be detailed enough to send information to other machines and ISP servers, but for the most part a normal ping just sends a ACT packet looking for a response, I don't think it does much more...although DNS could provide your information as well as theirs in these responses. Quote Link to post Share on other sites
hitest Posted October 17, 2005 Report Share Posted October 17, 2005 hitest, I'm not worried about having been hacked* as every test I've ever performed has shown my computer is completely "stealthed" to the Internet. Many tests simply say they can't test at all, that as far as the Internet is concerned my system does not exist, then they congratulate me on having excellent protection. I just occasionally like to see where attempts are coming from, and there's usually something new or interesting to learn from it (like this one, the first time I've ever seen that many nodes contacted).Excellent. If you're in stealth mode you're in good shape. You are smart to be paranoid. Your software firewall is protecting you very well indeed. Quote Link to post Share on other sites
JDoors Posted October 18, 2005 Author Report Share Posted October 18, 2005 OK, one of the reasons I can't learn is, let me edit your post to show you how it looks to me:Pings blah, blah, blah, do not send any information from which they came. blah, blah, blah, blah, but for the most part a normal ping just sends a ... packet looking for a response, I don't think it does much more. blah, blah, blah, blah!<{POST_SNAPBACK}> See my problem? (I get it, but if I don't do something drastic it'll go in one ear and out the other -- so forgive me havin' a little fun wit' ya.) Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.