[c-nsp] Hiding a Cisco Router from a Traceroute
Robert Kiessling
robert+c-nsp at josebus.org
Mon Oct 24 10:33:19 EDT 2005
Adam Greene wrote:
> Following up on this discussion ... in effect, we "block" traceroutes by
> implementing private IP addresses on router interfaces within our network.
> We viewed the utilization of private IP addresses as a security enhancement
> (i.e. the internal routers will never be victims of DoS attacks originating
> from outside our network).
Implementing private IP addresses on links between your routers
violates RFC1918 unless you implement filters on your borders.
You still originate the ICMPs and they still reach the sources
(unless filtered). This is a very bad idea.
One solution to your problem is to use addresses for the links
which are assigned to you (eg. by ARIN or RIPE or an intermediary)
but which are not advertised in the DFZ. You can for example
getting PI addresses separate from your normal PA addresses.
This way users see the same traceroute results including reverse
DNS, but noone outside your AS can directly reach your routers.
There is a catch though. Some networks implement lose RPF filters
which in this case means your ICMP responses will be filtered by
those networks and not reach external users tracerouting to you.
There is a workaround though. You can advertise that netblock
from somewhere external to your network to "trick" the lose RPF
filters. If you do this you might also wish to add reverse DNS to
some interfaces on that way that say something like
do-not-traceroute-to-this-address.the-results-are-completely-meaningless.your.net
Robert
More information about the cisco-nsp
mailing list