[c-nsp] Traceroute results masking path to destination
Christopher.Marget at usc-bt.com
Christopher.Marget at usc-bt.com
Thu Feb 2 09:08:40 EST 2012
> I am having some difficulty understanding some trace route results that I am
> receiving from the network I am on. If I tracert from my location (France), the
> results are all masked with the destination address (Google's public DNS). I
> understand that something in the network is substituting the actual hop address
> with the dest. address, but I do not completely understand why this is happening
> or how it is being accomplished.
>
> I presume the device right after 10.164.17.2 is the culprit; would this be a
> firewall, proxy, or some other security device?
I've seen this sort of result when the traceroute probes are replied to with Type 3 Code 10: "Destination host unreachable due to administrative prohibition" instead of Type 11 Code 0: "TTL Exceeded"
In some cases this was because the traceroute probes actually reached the target system and it replied this way because it wasn't interested in receiving the traffic.
In other cases the replies were coming from a security device, but were spoofed to appear as though they were coming from the target system (REJECT instead of DROP in the firewall policy).
In both cases, the Type 3 Code 10 wasn't enough to persuade the traceroute client to stop probing, so it kept increasing TTL and trying again until it maxed out.
/chris
More information about the cisco-nsp
mailing list