[Dshield] Odd traceroute, I *think* I know what's going on, but not sure.

Brenden Walker BKWalker at drbsystems.com
Wed Oct 8 19:07:17 GMT 2008


> -----Original Message-----
> From: list-bounces at lists.sans.org [mailto:list-bounces at lists.sans.org]
> On Behalf Of John Hardin
> Sent: Wednesday, October 08, 2008 2:27 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Odd traceroute, I *think* I know what's going
> on, but not sure.
>
> On Wed, 8 Oct 2008, Brenden Walker wrote:
>
> > Seems that the Vista version does, or perhaps has something to do
> with our domain setup here:
> >
> > C:\Users\bkwalker>tracert 123.30.74.2
> >
> > Tracing route to bkwalkerpc.drbsystems.com [123.30.74.2]
<snip>
> > 16   648 ms   641 ms   637 ms  bkwalkerpc.drbsystems.com
> [123.30.74.2]
> >
> > Trace complete.
> >
> > ;-)
>
> Confirmed on Vista, from a host on the same network as the earlier
> example. It's probably not your network setup unless ours is
> misconfigured
> the same way.
>
> "ping -a" does the same thing.
>
> Some quick googles don't seem to show anybody else discussing this
> issue.
>
> Why in the world would anybody think it was reasonable to do that?
>
> I wonder if this could be used to bypass security somehow? "Oh, the
> host
> I got that content from is me ('localhost' mapped to my local
> hostname),
> so I can trust it..."

Good question.  The only thing I could think of it putting in URL's that look like they're going to link to your local machine.  But that's not going to work well, at least in most cases.  I know my hosts files has localhost mapping directly to 127.0.0.1 and at least tracert and ping don't do a lookup.

Sure makes one wonder what the heck they are thinking.  Or even how it got this way...weird.



More information about the Dshield mailing list