Re[2]: disable traceroute to my host
From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 06/26/01
- Next message: Valentin Nechayev: "Re: Re[2]: disable traceroute to my host"
- Previous message: Danny Wong: "help on TLS error"
- Maybe in reply to: alexus: "disable traceroute to my host"
- Next in thread: Peter Jeremy: "Re: disable traceroute to my host"
- Reply: Peter Jeremy: "Re: disable traceroute to my host"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Jun 2001 15:08:13 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: "alexus" <ml@db.nexgen.com>
Hello alexus,
BSD-style traceroute sends UDP packets starting from port 33434,
increasing port for every packet. If someone traceroutes your host
with 3 packets for each TTL, and your host is located in 4 hops you'll
get UDP packets for ports 33443-33445 if your server will reply to
traceroute or 33443-33490 (default is 20 hops max) if you host is
unreachable. ipfw rule
deny udp from any to YOURNET 33430-33500 in
will stop default BSD traceroute, but can lead to some problems if
this ports will be dynamically allocated to some program.
Windows uses ICMP type 8 (echo) for traceroute. You must disable
incoming ICMP type 8 to prevent windows-style traceroute (this will
also stop discovering route via ping - R). Use
deny icmp from any to YOURNET icmptypes 8 in.
Another possible solution is to prevent your hosts from replying to
traceroute.
deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out
0 - to stop windows traceroute and ping
3 - to stop BSD-style traceroute
11 - to prevent intermediate router to reply traceroute
--Monday, June 25, 2001, 11:30:50 PM, you wrote to 3APA3A@SECURITY.NNOV.RU:
a> i understand i can't really disable the whole tree of traceroute .. i'm only
a> can disable my very last hop.. i also understand it's not going do much..
a> but i still would like to do so..
a> i need to find out which icmp type is it uses and most of all how i can make
a> so i can traceroute from my box but people won't be able to traceroute to me
a> (on last hop)
a> ----- Original Message -----
a> From: "3APA3A" <3APA3A@SECURITY.NNOV.RU>
a> To: "alexus" <ml@db.nexgen.com>
a> Sent: Saturday, June 23, 2001 7:05 AM
a> Subject: Re: disable traceroute to my host
>> Hello alexus,
>>
>> It's impossible to disable traceroute on your host. You can filter
>> incoming ICMP echo request and UDP packets or outgoing TTL exceeded
>> ICMP packets on corporate firewall to disable your internal network
>> structure discovery, but it doesn't solve problem completely, because
>> route can be traced with different kinds of packets. Better way is to
>> use NAT between private and public networks.
>>
>> --Saturday, June 23, 2001, 2:32:10 AM, you wrote to
a> freebsd-security@FreeBSD.ORG:
>>
>> a> is it possible to disable using ipfw so people won't be able to
a> traceroute
>> a> me?
>>
>>
>>
>> a> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> a> with "unsubscribe freebsd-security" in the body of the message
>>
>>
>> --
>> ~/3APA3A
>> ...без дубинки никогда не принимался он за программирование. (Лем)
>>
>>
>>
-- ~/3APA3A Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Valentin Nechayev: "Re: Re[2]: disable traceroute to my host"
- Previous message: Danny Wong: "help on TLS error"
- Maybe in reply to: alexus: "disable traceroute to my host"
- Next in thread: Peter Jeremy: "Re: disable traceroute to my host"
- Reply: Peter Jeremy: "Re: disable traceroute to my host"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
