Odd cableone traceroute with 0.0.0.0 in path

Brian_Bruns · October 28, 2010, 6:55pm

Okay, so this has my head hurting a bit just trying to figure out just how this is possible and what kind of equipment would pull this stunt.

Tracing from here (cableone cable modem) to the outside world, I end up with the following at the beginning of my traceroute.

  1 192.168.1.1 (192.168.1.1) 2.759 ms 0.803 ms 0.769 ms
  2 0.0.0.0 (0.0.0.0) 10.462 ms 9.543 ms 8.043 ms
  3 192.168.32.65 (192.168.32.65) 9.984 ms 9.654 ms 9.570 ms
  4 te-4-4.car2.seattle1.level3.net (4.53.146.117) 25.960 ms 21.798 ms 24.144 ms
.... etc

0.0.0.0 as one of the hops. So, I pulled out LFT to make sure traceroute isn't going nuts.

Layer Four Traceroute (LFT) version 3.1
Using device en1, 192.168.1.101:53
TTL LFT trace to 207.70.17.213:80/tcp
  1 192.168.1.1 0.9/0.9ms
  2 /9.8/10.3ms
  3 192.168.32.65 9.7/8.3ms
  4 10.255.255.1 9.1/8.4ms
  5 te-4-4.car2.seattle1.level3.net (4.53.146.117) 29.0/20.2ms

Fun, no entry for hop 2, plus there's an extra hop at #4. Lets use verbose.

Layer Four Traceroute (LFT) version 3.1 ... (verbosity level 2)
Using device en1, 192.168.1.101:53
SENT TCP TTL=1 SEQ=648736948 FLAGS=0x2 ( SYN )
SENT TCP TTL=2 SEQ=648736949 FLAGS=0x2 ( SYN )
RCVD ICMP SEQ=648736948 SRC=192.168.1.1 PTTL=1 PSEQ=648736948
SENT TCP TTL=3 SEQ=648736950 FLAGS=0x2 ( SYN )
SENT TCP TTL=4 SEQ=648736951 FLAGS=0x2 ( SYN )
SENT TCP TTL=5 SEQ=648736952 FLAGS=0x2 ( SYN )
SENT TCP TTL=6 SEQ=648736953 FLAGS=0x2 ( SYN )
RCVD ICMP SEQ=648736949 SRC=0.0.0.0 PTTL=2 PSEQ=648736949
SENT TCP TTL=7 SEQ=648736954 FLAGS=0x2 ( SYN )
RCVD ICMP SEQ=648736950 SRC=192.168.32.65 PTTL=3 PSEQ=648736950
RCVD ICMP SEQ=648736951 SRC=10.255.255.1 PTTL=4 PSEQ=648736951
RCVD ICMP SEQ=648736953 SRC=4.68.105.30 PTTL=6 PSEQ=648736953

Am I going nuts, or is something really messed up somewhere upstream from the cable modem? To quote someone from IRC who's just as confused, "the null route just talked to me".

Mike_Tancsa · October 28, 2010, 7:17pm

Okay, so this has my head hurting a bit just trying to figure out just how this is possible and what kind of equipment would pull this stunt.

misconfig of a p2p addr somewhere ? perhaps someone used 0.0.0.0/30 as a p2p addr for kicks.

e.g. I just tried this at home.

on a next hop router,
# ifconfig igb1 0.0.0.0/30 alias

on a node/workstation behind the above router

0(i5)# ifconfig em0 0.0.0.1/30 alias
0(i5)# route add 173.194.32.104 0.0.0.0

0(i5)# telnet -s 10.255.255.27 173.194.32.104 80
Trying 173.194.32.104...
Connected to yyz06s05-in-f104.1e100.net.
Escape character is '^]'.

And looking for the arp who has, it is indeed asking for 0.0.0.0's MAC addr for the next hop.

15:07:38.308758 00:15:17:ed:36:e5 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 0.0.0.0 tell 0.0.0.1, length 46
15:07:38.308764 00:30:48:94:88:21 > 00:15:17:ed:36:e5, ethertype ARP (0x0806), length 42: Reply 0.0.0.0 is-at 00:30:48:94:88:21, length 28

---Mike

Mark_Smith1 · October 28, 2010, 8:14pm

Okay, so this has my head hurting a bit just trying to figure out just
how this is possible and what kind of equipment would pull this stunt.

My initial guess was that somebody put "0.0.0.0" text as the DNS PTR RR
value for that hop, however that isn't the case as both the name and
the IP address of the hop are 0.0.0.0.

My guess is that the ICMP error that traceroute uses to detect hops is
being sourced from 0.0.0.0 for some reason. Your cable modem wouldn't
be performing any RPF on incoming traffic, so there is nothing to
filter out 0.0.0.0 as an invalid source address (or it may actually be
valid for these ICMP errors - it's the "unspecified" address.)