[ale] Weird/fun traceroute someone sent me

Derek Atkins warlord at MIT.EDU
Tue Mar 25 13:20:13 EDT 2014 

Hi,

Ken Cochran <kwc at shell.TheWorld.com> writes:

> Hey ALE folk, umm, can someone 'splain me How Dey Do Dat?
>
> PC (Windows I'd guess):
> tracert -h 250 204.244.252.35
>
> MAC/Unix (& I'd guess Linux):
> traceroute -m 250 204.244.252.35
>
> I "sorta" understand the underpinnings of traceroute, in
> that it works off ICMP echo-requests (ping) with the TTL
> "fudged" to sorta bring on an exception condition that's of
> use other than an "error."  But just what's going on "here?"
> FAQ/Doc/FMs to RT are of course, welcome.  :)  Thanks, -kc

What's going on is that they own 206.214.216/24 and have set up a
routing path with a bunch of "virtual" machines (at least I'm assuming
it's virtual). He also seems to use the TTL to decide which address to
use for the ICMP reply, so he's able to reuse the same IP reply when he
wants to reuse the same text (see below).

You are correct that traceroute works by sending off packets with
limited ttls; the way IP works, each hop reduces the TTL and when the
TTL reaches 0 you get an ICMP reply basically saying "sorry, you didn't
reach the host -- too many hops".

This ICMP reply is what traceroute displays.  The "magic" here is that
he's using all these different addresses, and then uses DNS PTR records
to convert each IP address to a line in the story.  For example, if you
run:

$ host 206.214.251.9
9.251.214.206.in-addr.arpa domain name pointer it.is.a.period.of.civil.war.

Alas, there does appear to be a loop.  After (for me) hop 149 it loops
back to the beginning:

149  never.gonna.tell.a.lie.and.hurt.you (206.214.251.246)  83.564 ms  83.487 ms  83.365 ms
150  206.214.251.27 (206.214.251.27)  83.226 ms  83.034 ms  84.843 ms
151  episode.iv (206.214.251.1)  83.791 ms  85.578 ms  85.381 ms

which is the same as:

11  206.214.251.27 (206.214.251.27)  83.941 ms  81.140 ms  82.900 ms
12  Episode.IV (206.214.251.1)  85.977 ms  82.517 ms  82.427 ms


I'll note that both 206.214.251/24 and 204.244.252.35/24 are owned by
Epik Networks.

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the Ale mailing list