[c-nsp] Hiding a Cisco Router from a Traceroute

[Adam Greene]

Following up on this discussion ... in effect, we "block" traceroutes by
implementing private IP addresses on router interfaces within our network.
We viewed the utilization of private IP addresses as a security enhancement
(i.e. the internal routers will never be victims of DoS attacks originating
from outside our network). However, it obviously has the major disadvantage
of disabling a useful (essential?) diagnostic tool. Has anyone else faced
this particular dilemma? It sounds like most of us would suggest utilizing
public IP addresses on router inerfaces throughout our networks.

----- Original Message ----- 
From: "John Kristoff" <jtk at northwestern.edu>
To: <cisco-nsp at puck.nether.net>
Sent: Friday, October 21, 2005 8:32 PM
Subject: Re: [c-nsp] Hiding a Cisco Router from a Traceroute


> On Thu, 20 Oct 2005 17:12:37 +0000
> Kristofer Sigurdsson <kristo at ipf.is> wrote:
>
> > Here's how traceroute is done:
> >
> > The host sends a UDP packet on port 33435 to the host he's
> > traceroute'ing to, with a TTL of 1.
>
> You can effectively do a traceroute using any IP protocol and Windows
> by default uses ICMP echoes.
>
> I thought someone pointing out that MPLS can hide the topology was
> interesting.  That would have to be one of the most peculiar reasons
> for implementing MPLS though.  :-)
>
> I agree with the sentiment expressed in the note I'm replying to that
> blocking it is of dubious merit.  Hoewver, if you insist, rather than
> a router ACL you probably want to look at a more sophisticated firewall
> solution.
>
> John
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]
>
>

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]