Re: disable traceroute to my host

From: alexus (ml@db.nexgen.com)
Date: 06/25/01 

From: "alexus" <ml@db.nexgen.com>
To: "Peter Pentchev" <roam@orbitel.bg>, "Fernando Gleiser" <fgleiser@cactus.fi.uba.ar>
Date: Mon, 25 Jun 2001 15:52:53 -0400

i can't just block whole icmp .. or udp.. i just can't.. i only wanted to
block certain range,type whatever was that just for traceroute .. but i was
thinking .. and yes I won't gain much (infact nothing) so ... the max thing
i'll do is disable ttl=1.. this should cover the trick..

----- Original Message -----
From: "Peter Pentchev" <roam@orbitel.bg>
To: "Fernando Gleiser" <fgleiser@cactus.fi.uba.ar>
Cc: "alexus" <ml@db.nexgen.com>; <freebsd-security@FreeBSD.ORG>
Sent: Saturday, June 23, 2001 7:34 AM
Subject: Re: disable traceroute to my host

> On Fri, Jun 22, 2001 at 10:23:30PM -0300, Fernando Gleiser wrote:
> > On Fri, 22 Jun 2001, alexus wrote:
> >
> > > is it possible to disable using ipfw so people won't be able to
traceroute
> > > me?
> >
> > I don't know if it is posible with ipfw, but with ip filter you can add
> > a rule to block any packets with ttl=1:
> >
> > block in log quick on xl0 ttl 1 proto ip all
> >
> > That will stop windows traceroute (icmp based) as well as unix
traceroute
> > (udp based).
> >
> > Unix traceroute uses udp packets with destination port > 33434, but this
can
> > be changed. As far as I know, the only way to stop traceroute is to drop
> > any packet with ttl=1. This might block legitimate trafic, but I haven't
> > seen any packet in the wild with ttl=1 wich was not a traceroute.
>
> This shall only stop traceroutes destined for this particular machine.
> If you tried this on a firewall/gateway machine, it would block the
response
> from the gateway itself, but the internal machines would still respond.
>
> The response from Igor Podlesny in the thread contains a much more
> effective approach, which might block a bit too much, but it would
> certainly block traceroutes.
>
> Oh and BTW, blocking all packets with ttl=1 could block some legitimate
> packets that have simply gone down the long and winding road, and stopped
> at too many auberges to rest along the way :)
>
> G'luck,
> Peter
>
> --
> If wishes were fishes, the antecedent of this conditional would be true.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Traceroute anomaly
    ... Hm - checking back on previous exchanges I have had over traceroute I ... I'm sorry I "muddied the water" with RFC 1393 and the IP "route ... Do remember that I said I used to teach ICMP and what seems to have ... generated when the packet which might give rise to the ICMP packet is ...
    (comp.dcom.sys.cisco)
  • Re: Question regarding traceroute
    ... the command options I use, the only output I'm getting is: ... refuse to return ICMP TTL exceeded errors in response to ICMP ... mishandles UDP, then the behavior you're describing sounds right. ... Try the "-I" option on traceroute to force it to use ICMP ECHO ...
    (comp.unix.solaris)
  • RE: traceroute-like tool for UDP or TCP packet
    ... >> Linux uses UDP packets to traceroute, ... an ICMP packet is a type of UDP packet. ...
    (Security-Basics)
  • Re: How do they do it?
    ... Ports are for TCP and UDP. ... > traceroute use or can use, UDP as an alternative option to ICMP. ...
    (comp.security.firewalls)
  • Re: Traceroute anomaly
    ... source of this traceroute - in C, of course - on the system. ... on the packet path over the IP network. ... is not open on the destination IP node. ... The ICMP packet contains the address of the receiving ...
    (comp.dcom.sys.cisco)