I\'m reading an article about the recent Github DDoS with traffic coming from no
ID: 654742 • Letter: I
Question
I'm reading an article about the recent Github DDoS with traffic coming from non-Chinese Baidu users.
There are two Wireshark screenshots in the middle of the article with arrows pointing to the sequence number of the SYN-ACK step from the TCP three-way handshake, also the TTL from the IP header, and on the second screenshot, TCP Window size is pointed.
Everything looks normal for me, and I can't really understand what these screenshots should demonstrate in the context of the discussed problem. What is wrong with them?
Explanation / Answer
What this screenshot wants to demonstrate, is that the SYN-ACK and the following packets have different TTLs (Time-To-Live). Each TCP packet has a TTL counter which starts at a specific value when a packet leaves a host and gets decremented by every router which forwards the packet. The payload having a lower TTL than the SYN-ACK packet means that it passed through more routers. This implies that some system detected the SYN-ACK as "interesting" and decided to reroute the connection afterwards, likely through some system which performed a man-in-the-middle attack.