[c-nsp] Hiding a Cisco Router from a Traceroute
Babak Farrokhi
bfarrokhi at gmail.com
Thu Oct 20 13:47:11 EDT 2005
Hi,
I am not sure if it is possible in cisco routers, but you should ask
your router to do not modify (reduce) TTL value in packets. Once you
could do it, the hop won't show up in traceroute output.
On 10/20/05, Kristofer Sigurdsson <kristo at ipf.is> wrote:
> Hi,
>
> On Thu, 2005-10-20 at 18:47 +0200, Gordon Bezzina wrote:
> > Hi,
> >
> > I do not know if this is possible with an ACL, but I would like to hide my
> > network topology from the internet.
> >
> > Eg. trace to c.c.c.c
> >
> > 1 a.a.a.a
> > 2 b.b.b.b
> > 3 c.c.c.c
> >
> > Assume that c.c.c.c is final client whilst b.b.b.b is my border router and
> > a.a.a.a and before is from the Internet. Now I want to set up an ACL that
> > hides from b onwards. Excuse my ignorance, but I cannot find a clean way to
> > do it. Obviously, I still want my client to be able to perform pings and
> > tracroutes to the external world.
>
> See ramble at the end...
>
> Here's how traceroute is done:
>
> The host sends a UDP packet on port 33435 to the host he's
> traceroute'ing to, with a TTL of 1.
> The first router on the way decrements the TTL to 0, which means
> the packet can't go any further. This router sends an ICMP time to
> live exceeded packet back to the host to inform you of this, this
> gives your traceroute tool the info it needs about the first router
> on the way.
>
> Traceroute now does the same thing, except the port number is now
> 33436, and TTL 2. The second router on the way sends the ICMP time
> to live exceeded back...etc.
>
> This is repeated with incrementing port numbers and TTL's, until the
> end host responds.
>
> To disable this, you could for example create an ACL on b.b.b.b banning
> ICMP time to live exceeded from your routers to the end host, or banning
> UDP ports 33435 - 33465 from the end host to your routers.
>
> Ramble:
>
> Disabling traceroute means disabling a very useful tool in all sorts of
> debugging. This is something users should have, it both gives clued
> individuals a way to find out if their system is broken or the service
> provider's, thereby reducing the load on the service provider's help
> desk and this command is something the help desk is likely to ask the
> customer to use in diagnosing problems.
>
> You really should ask yourself why you want to disable traceroute. If
> it's for security reasons, maybe you should try and find out why your
> network is so vulnerable it is dangerous for people to know the IP
> addresses or basic scheme of your network.
>
> End of ramble.
>
>
> --
> Kristófer Sigurðsson Tel: +354 414 1600
> Netrekstur/Network Operations IP Fjarskipti ehf.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
Babak Farrokhi
email: babak at farrokhi.net
web: http://farrokhi.net/
More information about the cisco-nsp
mailing list