Re: disable traceroute to my host

From: alexus (ml@db.nexgen.com)
Date: 06/25/01


From: "alexus" <ml@db.nexgen.com>
To: <freebsd-security@FreeBSD.ORG>, "Dag-Erling Smorgrav" <des@ofug.org>
Date: Mon, 25 Jun 2001 15:49:26 -0400

i'm thinkin to disable ttl=1 .. would that be ok with you?

----- Original Message -----
From: "Dag-Erling Smorgrav" <des@ofug.org>
To: <freebsd-security@FreeBSD.ORG>
Sent: Sunday, June 24, 2001 11:10 AM
Subject: Re: disable traceroute to my host

> "Kris Anderson" <ohshutup@zdnetmail.com> writes:
> > You can put in a rule like
> >
> > ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0
> > [...]
>
> AUUUUGH!
>
> First - the only one who got it right is Brooks Davis: no, it can't be
> done. The best you can hope for is to prevent your own box (and
> anything behind it, if it's a gateway) from responding to certain
> specific types of traces, but the tracer will still be able to see
> most of the route between you and him, and there are ways of tracing a
> route that you can't block without also blocking a lot of legitimate
> traffic.
>
> Second - traceroute is pretty harmless, and not really the corner-
> stone of 3v1l h4ckd0m you people seem to think it is, so even if you
> could prevent anyone from tracerouting you it wouldn't make much (or
> even any) difference to an attacker's ability to harm you.
>
> Third - if you set up ipfw to unconditionally block ICMP (whether in
> the mistaken belief that it will prevent route tracing or for some
> other lameass reason), I will personally buy a very heavy baseball
> bat, hop on a plane, and pay you a visit you'll remember for the rest
> of your very short lives. Although some ICMP types are admittedly not
> very useful, that doesn't mean none of them are, and you should at the
> very least let types 3 and 11 through or you'll be very sorry. I
> usually set up my filters to let 0, 3, 8 and 11 through and block
> everything else.
>
> Fourth - this subject has been discussed to death on this very list
> several times in the past. We keep searchable archives for a reason.
>
> Fifth - someone mentioned stealth routing. There's no such thing in
> FreeBSD, but there's something called stealth forwarding, which I
> wrote*, and which makes the TCP/IP stack neither decrement nor even
> inspect the TTL on forwarded packets, so if someone traceroutes a host
> behind you you won't show up in the trace, but if someone traceroutes
> you it'll be business as usual. You need to add the IPSTEALTH option
> to your kernel to enable support for this (and toggle a sysctl
> variable to actually turn stealth forwarding on).
>
> DES
> --
> Dag-Erling Smorgrav - des@ofug.org
>
> * It went a bit like this: Friend: "Sun have this new firewall product
> that's really cool, it can do blah blah blah" - Me: "Oh, FreeBSD can
> do that" - Friend: "No, it can't" - Me: "Yes, it can" - Friend: "No
> it can't, because blah blah blah" - Me: "Oh, I see" <clicketyclick>
> "Now FreeBSD can do that too" - Friend: <boggle>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message