Re: disable traceroute to my host

From: Peter Pentchev (roam@orbitel.bg)
Date: 06/23/01 

Date: Sat, 23 Jun 2001 14:34:19 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>

On Fri, Jun 22, 2001 at 10:23:30PM -0300, Fernando Gleiser wrote:
> On Fri, 22 Jun 2001, alexus wrote:
>
> > is it possible to disable using ipfw so people won't be able to traceroute
> > me?
>
> I don't know if it is posible with ipfw, but with ip filter you can add
> a rule to block any packets with ttl=1:
>
> block in log quick on xl0 ttl 1 proto ip all
>
> That will stop windows traceroute (icmp based) as well as unix traceroute
> (udp based).
>
> Unix traceroute uses udp packets with destination port > 33434, but this can
> be changed. As far as I know, the only way to stop traceroute is to drop
> any packet with ttl=1. This might block legitimate trafic, but I haven't
> seen any packet in the wild with ttl=1 wich was not a traceroute.

This shall only stop traceroutes destined for this particular machine.
If you tried this on a firewall/gateway machine, it would block the response
from the gateway itself, but the internal machines would still respond.

The response from Igor Podlesny in the thread contains a much more
effective approach, which might block a bit too much, but it would
certainly block traceroutes.

Oh and BTW, blocking all packets with ttl=1 could block some legitimate
packets that have simply gone down the long and winding road, and stopped
at too many auberges to rest along the way :)

G'luck,
Peter 

-- 
If wishes were fishes, the antecedent of this conditional would be true.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: icmp type 11 not go via nat POSTROUTING table
    ... everthing is working as it "should", there is no reason for a "ICMP ... I generated two test icmp packets ... This is how traceroute knows the IP of the ... If x.y.z.t is a private IP address, it cannot be tracerouted anyway, so ...
    (comp.os.linux.networking)
  • RE: Traceroute
    ... Plain IP packets, and actually anything that travels over IP or with an IP ... garbage after the IP header and play with the protocol field in the IP ... The best defense against tracerouting is an egress filter for the ICMP time ... for ICMP and UDP packets used by standard traceroute tools use are easily ...
    (Pen-Test)
  • Why some hosts in Internet not prefer to be traceroute-d ?
    ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... like dropping TTL exceeded ICMP packets (dropping such packets in ... I used to traceroute in unprivileged user mode, ... What's the difference between a router and a endpoint host from ...
    (comp.os.linux.networking)
  • Re: AOL Servers Probing ???
    ... > Traceroute before on another IP. ... My first hop appears to be going to an SBC DSL user; ... Those AOL proxies ... one has to be an AOL proxy, it is sending packets back to me with an RFC ...
    (microsoft.public.security)
  • Re: PF + scrub + traceroute: ttl problem :(
    ... >like packets with ttl under 64, despite traceroute packets. ... >So the packets leaving my PC1 would have ttl 63 and i decided to use scrub ...
    (comp.unix.bsd.freebsd.misc)