Hacker News new | ask | show | jobs
by tyingq 1396 days ago
Not sure how he did it, but my first guess would be just a bunch of virtual interfaces on a linux box with a->b->c->d->e->etc routing, and something like the tc command[1] to add enough latency to each one that traceroute sees them all.

If he's scripted it to do all the virtual nic creation and dns ptr entries, it would be interesting to see.

[1] https://bencane.com/2012/07/16/tc-adding-simulated-network-l...
2 comments
mrb 1396 days ago
Virtual interfaces aren't necessary, and would be overkill. All he needs on his server is to listen on a raw network socket, read the incoming packet's IP TTL value, then forge and send an ICMP "time exceeded" response with the source IP address set to a value that depends on the TTL. The entire thing could be done in 20-30 lines of Python.

Next to that he set up a DNS server configured with PTR records that map these forged IP addresses to arbitrary hostnames of his choices.

link
nitros 1396 days ago
For maximum 'performance' you can do it in-kernel with eBPF :^) https://github.com/simmsb/traceroute-spoof
link
tyingq 1396 days ago
Sure, another way to do it, though the python would have to get the peer address, extract 64 bits of the incoming msg, table lookups of hop count -> forged address, decrement hop counts, etc. A shell script creating virtual interfaces and routing wouldn't likely be much longer than 20-30 lines either.
link
mrb 1396 days ago
There is no need to do "table lookups of hop count" or to "decrement hop counts". The IP TTL value is just a field that can be read from the IP header, which is trivial since the Python would get the entire IP header from the raw socket. If you see a TTL=1 you send back the forged response as coming from $IP_1, if you see a TTL=2 you forge the response as coming from $IP_2, etc. The forged response can always contain the same default TTL.
link
tyingq 1396 days ago
> table lookups of hop count -> forged address

>> There is no need to do "table lookups of hop count"

>> If you see a TTL=1 you send back the forged response as coming from $IP_1, if you see a TTL=2 you forge the response as coming from $IP_2

You're describing a table lookup of the forged address using the hop count.

link
mrb 1396 days ago
Right, I understand you now.
link
JoachimSchipper 1396 days ago
traceroute(1) uses the IP Time-To-Live (TTL) field, not network latency. So just a bunch of virtual interfaces on a suitable *nix should be enough.
link
tyingq 1396 days ago
Ah, right, hop count ceiling and decrement from each hop.

Specifically timed latency might be fun to delineate sections for the viewer though.

link