[kadoban]

I _think_ that if you know the real source and real destination of an ICMP message, you can just forge back a message with an arbitrary TTL exceeded message, from any "I'm IP address xxx" address. Those can come from a lot of rando IPs because the intent of them is just "at this hop, the TTL ran out", and the hops the original sender wouldn't know anyway. A lot of fake hops would be essentially impossible if you examined the real BGP routes and stuff, but verifying that in real time sounds hard enough that I bet nobody bothers.

I'd have to do a lot more research and testing to verify though, not something I've played with in practice, and obviously my terminology isn't even right above, so take it for what it's worth.

[wmf]

If you return fake IPs in a traceroute you won't be able to control the reverse DNS which is the point of this exercise.

[prvit]

You can however control the IPs, so you can pick IPs with funny nsa.gov/.mil/fbi rdns (and matching forward records).

[kadoban]

I understood this current thread to be another, separate, stupid ICMP trick. I wouldn't think the two tricks can be combined.