[c-nsp] Hiding a Cisco Router from a Traceroute

Kristofer Sigurdsson kristo at ipf.is
Thu Oct 20 13:12:37 EDT 2005 

Hi,

On Thu, 2005-10-20 at 18:47 +0200, Gordon Bezzina wrote:
> Hi,
> 
> I do not know if this is possible with an ACL, but I would like to hide my
> network topology from the internet.
> 
> Eg. trace to c.c.c.c
> 
> 1 a.a.a.a
> 2 b.b.b.b
> 3 c.c.c.c
> 
> Assume that c.c.c.c is final client whilst b.b.b.b is my border router and
> a.a.a.a and before is from the Internet. Now I want to set up an ACL that
> hides from b onwards. Excuse my ignorance, but I cannot find a clean way to
> do it. Obviously, I still want my client to be able to perform pings and
> tracroutes to the external world.

See ramble at the end...

Here's how traceroute is done:

The host sends a UDP packet on port 33435 to the host he's 
traceroute'ing to, with a TTL of 1.
The first router on the way decrements the TTL to 0, which means
the packet can't go any further.  This router sends an ICMP time to 
live exceeded packet back to the host to inform you of this, this
gives your traceroute tool the info it needs about the first router
on the way.

Traceroute now does the same thing, except the port number is now
33436, and TTL 2.  The second router on the way sends the ICMP time
to live exceeded back...etc.

This is repeated with incrementing port numbers and TTL's, until the 
end host responds.

To disable this, you could for example create an ACL on b.b.b.b banning
ICMP time to live exceeded from your routers to the end host, or banning
UDP ports 33435 - 33465 from the end host to your routers.

Ramble:

Disabling traceroute means disabling a very useful tool in all sorts of 
debugging.  This is something users should have, it both gives clued 
individuals a way to find out if their system is broken or the service
provider's, thereby reducing the load on the service provider's help
desk and this command is something the help desk is likely to ask the
customer to use in diagnosing problems.

You really should ask yourself why you want to disable traceroute.  If 
it's for security reasons, maybe you should try and find out why your
network is so vulnerable it is dangerous for people to know the IP 
addresses or basic scheme of your network.

End of ramble.


-- 
Kristófer Sigurðsson           Tel: +354 414 1600
Netrekstur/Network Operations  IP Fjarskipti ehf.

More information about the cisco-nsp mailing list