Re: disable traceroute to my host

From: Fernando Gleiser (fgleiser@cactus.fi.uba.ar)
Date: 06/23/01

• Next message: Igor Podlesny: "Re: disable traceroute to my host"
• Previous message: Lawrence Sica: "Re: disable traceroute to my host"
• In reply to: alexus: "disable traceroute to my host"
• Next in thread: Peter Pentchev: "Re: disable traceroute to my host"
• Reply: Peter Pentchev: "Re: disable traceroute to my host"
• Reply: alexus: "Re: disable traceroute to my host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 22 Jun 2001 22:23:30 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: alexus <ml@db.nexgen.com>

On Fri, 22 Jun 2001, alexus wrote:

> is it possible to disable using ipfw so people won't be able to traceroute
> me?

I don't know if it is posible with ipfw, but with ip filter you can add
a rule to block any packets with ttl=1:

block in log quick on xl0 ttl 1 proto ip all

That will stop windows traceroute (icmp based) as well as unix traceroute
(udp based).

Unix traceroute uses udp packets with destination port > 33434, but this can
be changed. As far as I know, the only way to stop traceroute is to drop
any packet with ttl=1. This might block legitimate trafic, but I haven't
seen any packet in the wild with ttl=1 wich was not a traceroute.

Hope this helps.
                        Fer

>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Igor Podlesny: "Re: disable traceroute to my host"
• Previous message: Lawrence Sica: "Re: disable traceroute to my host"
• In reply to: alexus: "disable traceroute to my host"
• Next in thread: Peter Pentchev: "Re: disable traceroute to my host"
• Reply: Peter Pentchev: "Re: disable traceroute to my host"
• Reply: alexus: "Re: disable traceroute to my host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: icmp type 11 not go via nat POSTROUTING table ... everthing is working as it "should", there is no reason for a "ICMP ... I generated two test icmp packets ... This is how traceroute knows the IP of the ... If x.y.z.t is a private IP address, it cannot be tracerouted anyway, so ... (comp.os.linux.networking) Re: allowing icmp still doesnt allow traceroute ... >> 00600 allow icmp from any to any ... >> for ipfw, and i still get sendto Permission denied when ... >> I try to traceroute. ... You want to allow UDP packets in that above range ... (FreeBSD-Security) Re: traceroute-like tool for UDP or TCP packets ... Linux uses UDP packets to traceroute, not ICMP packets like windows does. ... >One of the local ISPs is having trouble getting DNS information from ... (Security-Basics) RE: Traceroute ... Plain IP packets, and actually anything that travels over IP or with an IP ... garbage after the IP header and play with the protocol field in the IP ... The best defense against tracerouting is an egress filter for the ICMP time ... for ICMP and UDP packets used by standard traceroute tools use are easily ... (Pen-Test) Why some hosts in Internet not prefer to be traceroute-d ? ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... like dropping TTL exceeded ICMP packets (dropping such packets in ... I used to traceroute in unprivileged user mode, ... What's the difference between a router and a endpoint host from ... (comp.os.linux.networking)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint