[j-nsp] Block traceroute and Allow Ping

Masood Shah masoodshah at juniper.net
Wed Sep 30 05:09:38 EDT 2009


Truman is correct, blocking traceroute is not straightforward...

To block traceroute on Linux, start by DROPping ports 33434 to 33600. Of course, Truman makes a good point that this range can be overridden, for example in Linux with the -p option. If you are REALLY paranoid, you can DROP all UDP traffic and then only open the ports that you have services running on. Sometimes this is easier said than done though.

Windows uses "normal" ICMP echo requests with low TTL values. And the replies are ICMP type 11 (TTL exceeded), or ICMP type 0 (echo reply, when the destination has been reached). 

So if you want to block both Windows and *NIX traceroutes, you need to either:
-block outgoing messages destined to UDP ports 33434 to 33534, AND outgoing ICMP echo-request messages 
or
-block incoming ICMP type 11 and type 0 messages

To avoid a long discussion on this topic I would add that UNIX version of Tracert performs the same function as the Windows version except that the IP payload is a UDP packet. According to RFC1393, traceroute implementations are supposed to use the ICMP protocol. Indeed, the windows implementation does use ICMP. However, by default, the Linux implementation uses UDP, unless you apply the "-I" option, in which case it will use ICMP.

Regards,
Masood
Blog: http://weblogs.com.pk/jahil/



-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net on behalf of Truman Boyes
Sent: Wed 9/30/2009 10:34
To: Iftikhar Ahmed
Cc: juniper-nsp at puck.nether.net; Pekka Savola
Subject: Re: [j-nsp] Block traceroute and Allow Ping
 
This will block some types of traceroute, but a client can always use  
different ports.

Why do you want to block traceroute?

On 29/09/2009, at 8:42 PM, Iftikhar Ahmed wrote:

> Atif,
>
> Try to apply a filter to loop-back interface with somthing like
>
>
> term traceroute {           /* permit traceroute udp packets */
>            from {
>                 protocol udp;
>                destination-port 33434-33678;
>            }
>            then {
>                     count traceroute;
>                discard;
>            }
> term default
>         then {
>                 accept
> }
> }
>
>
>
> Regards,
> iftikhar Ahmed
>
> On Tue, Sep 29, 2009 at 3:23 PM, Pekka Savola <pekkas at netcore.fi>  
> wrote:
>
>> On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote:
>>
>>> I want to block traceroute transit traffic on router but I want to  
>>> allow
>>> ping transit traffic. Kindly let me know ICMP Type and Code for  
>>> traceroute
>>> and kindly let me know procedure to block traceroute but allow ping.
>>>
>>
>> You can't if you want to support all flavours of traceroute as some  
>> of
>> those use the equivalent of ping.  Maybe you could match by both  
>> TTL and
>> ICMP type/code but that would be hackish.  To learn more about how
>> traceroute works, see:
>>
>> http://en.wikipedia.org/wiki/Traceroute
>>
>> --
>> Pekka Savola                 "You each name yourselves king, yet the
>> Netcore Oy                    kingdom bleeds."
>> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list