Menu
If you do a traceroute on bad.horse you get this amazing result:
⚘ traceroute bad.horse 10:46:24
traceroute to bad.horse (162.252.205.157), 30 hops max, 60 byte packets
1 gateway (192.168.42.1) 0.382 ms 0.690 ms 0.795 ms
2 10.52.192.1 (10.52.192.1) 8.594 ms 13.533 ms 14.438 ms
3 70.183.68.108 (70.183.68.108) 14.525 ms 14.620 ms 14.643 ms
4 70.183.71.92 (70.183.71.92) 23.323 ms 24.356 ms 24.219 ms
5 dalsbprj01-ae1.0.rd.dl.cox.net (68.1.2.109) 119.445 ms 120.277 ms 62.337 ms
6 10ge6-9.core1.dal1.he.net (184.105.16.77) 70.903 ms 57.131 ms 67.526 ms
7 10ge12-6.core1.chi1.he.net (184.105.213.118) 43.732 ms 42.770 ms 43.774 ms
8 100ge10-1.core1.msp1.he.net (184.105.223.178) 59.138 ms 60.040 ms 60.115 ms
9 ip-house.gigabitethernet3-6.core1.msp1.he.net (216.66.78.110) 55.395 ms 54.378 ms 55.345 ms
10 c4500-1.mpls.iphouse.net (216.250.189.170) 55.412 ms 48.480 ms 53.559 ms
11 egw-iphouse.mplsc1.mn.us.sn11.net (209.240.64.149) 52.298 ms 53.225 ms 53.372 ms
12 sandwichnet.dmarc.lga1.atlanticmetro.net (208.68.168.214) 84.848 ms 83.666 ms 84.504 ms
13 bad.horse (162.252.205.130) 84.768 ms 85.393 ms 87.570 ms
14 bad.horse (162.252.205.131) 86.527 ms 90.848 ms 83.121 ms
15 bad.horse (162.252.205.132) 91.399 ms 91.158 ms 91.256 ms
16 bad.horse (162.252.205.133) 97.087 ms 96.865 ms 96.914 ms
17 he.rides.across.the.nation (162.252.205.134) 104.836 ms 104.955 ms 104.670 ms
18 the.thoroughbred.of.sin (162.252.205.135) 108.286 ms 107.884 ms 107.020 ms
19 he.got.the.application (162.252.205.136) 109.024 ms 110.304 ms 111.553 ms
20 that.you.just.sent.in (162.252.205.137) 117.034 ms 113.230 ms 115.878 ms
21 it.needs.evaluation (162.252.205.138) 123.398 ms 122.680 ms 120.805 ms
22 so.let.the.games.begin (162.252.205.139) 129.908 ms 126.529 ms 130.947 ms
23 a.heinous.crime (162.252.205.140) 131.899 ms 132.798 ms 131.009 ms
24 a.show.of.force (162.252.205.141) 136.237 ms 136.104 ms 135.543 ms
25 a.murder.would.be.nice.of.course (162.252.205.142) 140.381 ms 141.924 ms 142.517 ms
26 bad.horse (162.252.205.143) 145.723 ms 142.737 ms 148.146 ms
27 bad.horse (162.252.205.144) 152.364 ms 152.251 ms 150.875 ms
28 bad.horse (162.252.205.145) 155.535 ms 155.014 ms 152.655 ms
29 he-s.bad (162.252.205.146) 163.286 ms 161.130 ms 163.883 ms
30 the.evil.league.of.evil (162.252.205.147) 165.159 ms 167.220 ms 164.500 ms
31 is.watching.so.beware (162.252.205.148) 170.873 ms 173.487 ms 171.568 ms
32 the.grade.that.you.receive (162.252.205.149) 176.218 ms 175.204 ms 174.433 ms
33 will.be.your.last.we.swear (162.252.205.150) 182.528 ms 184.565 ms 182.459 ms
34 so.make.the.bad.horse.gleeful (162.252.205.151) 182.353 ms 187.004 ms 188.215 ms
35 or.he-ll.make.you.his.mare (162.252.205.152) 193.428 ms 190.271 ms 192.049 ms
36 o_o (162.252.205.153) 196.362 ms 196.326 ms 196.022 ms
37 you-re.saddled.up (162.252.205.154) 201.828 ms 201.184 ms 201.339 ms
38 there-s.no.recourse (162.252.205.155) 205.054 ms 207.239 ms 205.630 ms
39 it-s.hi-ho.silver (162.252.205.156) 212.140 ms 211.960 ms 212.158 ms
40 signed.bad.horse (162.252.205.157) 211.620 ms 209.723 ms 212.074 ms
How does that work? How do you setup a network in such a way that traceroute will give you a result like this?
369
A traceroute works by sending Internet Control Message Protocol (ICMP) packets, and every router involved in transferring the data gets these packets. The ICMP packets provide information about whether the routers used in the transmission are able to effectively transfer the data.
A traceroute displays the path that the signal took as it traveled around the Internet to the website. It also displays times which are the response times that occurred at each stop along the route. If there is a connection problem or latency connecting to a site, it will show up in these times.
An adversary uses a traceroute utility to map out the route which data flows through the network in route to a target destination. Tracerouting can allow the adversary to construct a working topology of systems and routers by listing the systems through which data passes through on their way to the targeted machine.
Eheheh nice!
It's because the author of the joke owns 162.252.204.0/22 (Sandwich.Net LLC or one of their customers maybe), consequently they have a DNS server (162.252.205.157) that is authoritative for all the replies to PTR queries inside that range.
Now, they need to assign to their routers as many IPs as the number of sentences they want to show (or also assign those IPs to virtual instances inside the same physical router, or make policy routing between SVIs, etc.).
Then, they need to define an entry point (router) for the bad.horse host (162.252.205.157) in their Autonomous System AS62512 (that is, advertise 162.252.205.157 with BGP from the first router in the path).
From this entry point, they need to make a route on every other router that point to the next router till bad.horse (ie. define the path of routers that a packet entering their network with destination IP of bad.horse will follow); in other words something like:
[Internet]-->Router0 (IP x.x.x.1)-->Router1 (IP x.x.x.2)-->Router3 (IP x.x.x.3)-->[bad.horse host]
Finally, in the DNS server, they map the IPs in the path to a string, that is the sentence you got. From example above:
x.x.x.1 -> hello.you
x.x.x.2 -> how.are.you
x.x.x.3 -> etc...
This way, when your traceroute software will receive the Time Exceed back from every router in the path (in sequence), it will try to resolve the IP to a name by reaching their DNS server, receiving the sentences (in form of DNS names) they configured.
197
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
