Re: disable traceroute to my host

From: alexus (ml@db.nexgen.com)
Date: 06/25/01


From: "alexus" <ml@db.nexgen.com>
To: "Igor Podlesny" <poige@morning.ru>
Date: Mon, 25 Jun 2001 15:50:45 -0400

thanks a lot for this whole explanation, i appreciate everyone on the list
for taking time to explain how basics works.. i'm trying to read books,
manuals, internet for all those things but not everything makes sense,
although when real person explains it helps me a lot better

thanks everyone

----- Original Message -----
From: "Igor Podlesny" <poige@morning.ru>
To: "alexus" <ml@db.nexgen.com>
Cc: <freebsd-security@FreeBSD.ORG>; <freebsd-isp@FreeBSD.ORG>
Sent: Saturday, June 23, 2001 12:13 AM
Subject: Re: disable traceroute to my host

>
> > is it possible to disable using ipfw so people won't be able to
traceroute
> > me?
>
> Yes, of course.
>
> You should know how do traceroute-like utilities work.
>
> The knowledge can be easily extracted from a lot of sources, for e.g.
> from Internet, cause you seem to be connected ;) but, it also should
> be mentioned that man pages coming with FreeBSD (I guess as well as
> with other *NIX-likes OSes) also describe the algo.
>
> so man traceroute says, that it uses udp ports starting with 33434 and
> goes up with every new hop. but this could be easily changed with -p
> option. Besides, windows' tracert works using icmp proto, so the
> decision isn't here. It lies in what does the box do when answering to
> them. It does send 'time exceeded in-transit' icmp message cause TTL
> value is set too low to let the packet jump forward. So it is the
> answer -- you should disallow it with your ipfw. for e.g. using such
> syntax:
>
> deny icmp from any to any icmptype 11
>
> (yeah, you should carefully think about whether or not to use ANY
> cause if you're box is a gateway other people will notice your
> cutting-edge knowledge cause it will hide not only your host ;)
>
> This is not the end, alas. unix traceroute will wait for port unreach
> icmp so after meeting, it stops and displays the end-point of your
> trace. Windows' tracert will wait for normal icmp-echo-reply for the
> same purpose. So if you also wish to hide the end point, you need to
> disallow this also. I bet you can figure out the way how by yourself,
> now.
>
> P.S. there are also other ways (even more elegant) of doing that in
> practice... they called 'stealth routing' and can be implemented via
> FreeBSD kernel mechanism (sysctl + built-in kernel support) or with
> ipf (ipfilter)
>
> read the man pages, man, they are freely available...
>
> --
> Igor mailto:poige@morning.ru
> http://poige.nm.ru
>
>
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Blocked incoming ICMP, getting outgoing ICMP [3] Destination Unreachable
    ... The real LBL traceroute ... icmp error in reponse to an icmp packet. ... icmp time exceeded in response to an icmp echo or echo reply. ... had created a b0rken network stack that could be kicked over by sending ...
    (comp.security.firewalls)
  • Re: icmp type 11 not go via nat POSTROUTING table
    ... everthing is working as it "should", there is no reason for a "ICMP ... I generated two test icmp packets ... This is how traceroute knows the IP of the ... If x.y.z.t is a private IP address, it cannot be tracerouted anyway, so ...
    (comp.os.linux.networking)
  • Re: Traceroute anomaly
    ... Hm - checking back on previous exchanges I have had over traceroute I ... I'm sorry I "muddied the water" with RFC 1393 and the IP "route ... Do remember that I said I used to teach ICMP and what seems to have ... generated when the packet which might give rise to the ICMP packet is ...
    (comp.dcom.sys.cisco)
  • Re: set srcIP for ICMP replies, or for locally sourced connections?
    ... I just performed a traceroute from a Windows XP host through my IPSec+ GRE VPN, and captured it with Wireshark to confirm my beliefs. ... The router that gets the packet with a TTL of 1 will reply with an ICMP TTL exceeded message. ... Extended ping permits you to specify the source IP address that will be used in the outbound ping, which then becomes the destination IP address in the reply packet. ... But that would block replies from simple outbound pings and traceroutes from router CLI sessions. ...
    (comp.dcom.sys.cisco)
  • ICMP pokes holes in firewalls...
    ... Traceroute uses two protocols: UDP and ICMP ... A system inside a firewall performs a traceroute to a system ... Traceroute chooses the next available UDP port. ...
    (Bugtraq)