Re: disable traceroute to my host

From: alexus (ml@db.nexgen.com)
Date: 06/25/01


From: "alexus" <ml@db.nexgen.com>
To: <freebsd-security@FreeBSD.ORG>, "Dag-Erling Smorgrav" <des@ofug.org>
Date: Mon, 25 Jun 2001 15:49:26 -0400

i'm thinkin to disable ttl=1 .. would that be ok with you?

----- Original Message -----
From: "Dag-Erling Smorgrav" <des@ofug.org>
To: <freebsd-security@FreeBSD.ORG>
Sent: Sunday, June 24, 2001 11:10 AM
Subject: Re: disable traceroute to my host

> "Kris Anderson" <ohshutup@zdnetmail.com> writes:
> > You can put in a rule like
> >
> > ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0
> > [...]
>
> AUUUUGH!
>
> First - the only one who got it right is Brooks Davis: no, it can't be
> done. The best you can hope for is to prevent your own box (and
> anything behind it, if it's a gateway) from responding to certain
> specific types of traces, but the tracer will still be able to see
> most of the route between you and him, and there are ways of tracing a
> route that you can't block without also blocking a lot of legitimate
> traffic.
>
> Second - traceroute is pretty harmless, and not really the corner-
> stone of 3v1l h4ckd0m you people seem to think it is, so even if you
> could prevent anyone from tracerouting you it wouldn't make much (or
> even any) difference to an attacker's ability to harm you.
>
> Third - if you set up ipfw to unconditionally block ICMP (whether in
> the mistaken belief that it will prevent route tracing or for some
> other lameass reason), I will personally buy a very heavy baseball
> bat, hop on a plane, and pay you a visit you'll remember for the rest
> of your very short lives. Although some ICMP types are admittedly not
> very useful, that doesn't mean none of them are, and you should at the
> very least let types 3 and 11 through or you'll be very sorry. I
> usually set up my filters to let 0, 3, 8 and 11 through and block
> everything else.
>
> Fourth - this subject has been discussed to death on this very list
> several times in the past. We keep searchable archives for a reason.
>
> Fifth - someone mentioned stealth routing. There's no such thing in
> FreeBSD, but there's something called stealth forwarding, which I
> wrote*, and which makes the TCP/IP stack neither decrement nor even
> inspect the TTL on forwarded packets, so if someone traceroutes a host
> behind you you won't show up in the trace, but if someone traceroutes
> you it'll be business as usual. You need to add the IPSTEALTH option
> to your kernel to enable support for this (and toggle a sysctl
> variable to actually turn stealth forwarding on).
>
> DES
> --
> Dag-Erling Smorgrav - des@ofug.org
>
> * It went a bit like this: Friend: "Sun have this new firewall product
> that's really cool, it can do blah blah blah" - Me: "Oh, FreeBSD can
> do that" - Friend: "No, it can't" - Me: "Yes, it can" - Friend: "No
> it can't, because blah blah blah" - Me: "Oh, I see" <clicketyclick>
> "Now FreeBSD can do that too" - Friend: <boggle>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: hotmail is blocked on my computer and I dont know how or why
    ... Do a traceroute: ... some login.passport.net host probably back in the USA)! ... their server is up but it is unreachable by me. ... A reverse DNS lookup on each IP address returns ...
    (microsoft.public.windowsxp.general)
  • Re: Persistant URL problem
    ... Can you do a traceroute from your computer to your web ... Tracing route to www.finitesite.com ... That might indicate that host you go through has a problem whereas ... Verio ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Why some hosts in Internet not prefer to be traceroute-d ?
    ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... like dropping TTL exceeded ICMP packets (dropping such packets in ... I used to traceroute in unprivileged user mode, ... What's the difference between a router and a endpoint host from ...
    (comp.os.linux.networking)
  • Re: traceroute error !<10>
    ... > to find the reason for that traceroute behaviour. ... It is clearly the default Fedora firewall (iptables) setup which causes ... from my one Fedora Core host with IP ... So the reason for your observation is cleared. ...
    (Fedora)
  • Re: problem report bin/157732, patch included
    ... "Host software MUST handle host names of up to 63 characters and ... Since more recent RFCs allowed non-ascii hostnames, that factor should be taken into account as well. ... longer than 64 (traceroute line 1621, ... I can imagine several reasons for forbidding any hostnames> 64, ...
    (freebsd-questions)