Date: Tue, 26 Jun 2001 15:08:13 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: "alexus" <ml@db.nexgen.com> Cc: freebsd-security@FreeBSD.org Subject: Re[2]: disable traceroute to my host Message-ID: <3181060651.20010626150813@SECURITY.NNOV.RU> In-Reply-To: <009201c0fdad$57c2af00$9865fea9@book> References: <006a01c0fb6b$2d64d830$9865fea9@book> <771487721300.20010623150519@SECURITY.NNOV.RU> <009201c0fdad$57c2af00$9865fea9@book>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello alexus, BSD-style traceroute sends UDP packets starting from port 33434, increasing port for every packet. If someone traceroutes your host with 3 packets for each TTL, and your host is located in 4 hops you'll get UDP packets for ports 33443-33445 if your server will reply to traceroute or 33443-33490 (default is 20 hops max) if you host is unreachable. ipfw rule deny udp from any to YOURNET 33430-33500 in will stop default BSD traceroute, but can lead to some problems if this ports will be dynamically allocated to some program. Windows uses ICMP type 8 (echo) for traceroute. You must disable incoming ICMP type 8 to prevent windows-style traceroute (this will also stop discovering route via ping - R). Use deny icmp from any to YOURNET icmptypes 8 in. Another possible solution is to prevent your hosts from replying to traceroute. deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out 0 - to stop windows traceroute and ping 3 - to stop BSD-style traceroute 11 - to prevent intermediate router to reply traceroute --Monday, June 25, 2001, 11:30:50 PM, you wrote to 3APA3A@SECURITY.NNOV.RU: a> i understand i can't really disable the whole tree of traceroute .. i'm only a> can disable my very last hop.. i also understand it's not going do much.. a> but i still would like to do so.. a> i need to find out which icmp type is it uses and most of all how i can make a> so i can traceroute from my box but people won't be able to traceroute to me a> (on last hop) a> ----- Original Message ----- a> From: "3APA3A" <3APA3A@SECURITY.NNOV.RU> a> To: "alexus" <ml@db.nexgen.com> a> Sent: Saturday, June 23, 2001 7:05 AM a> Subject: Re: disable traceroute to my host >> Hello alexus, >> >> It's impossible to disable traceroute on your host. You can filter >> incoming ICMP echo request and UDP packets or outgoing TTL exceeded >> ICMP packets on corporate firewall to disable your internal network >> structure discovery, but it doesn't solve problem completely, because >> route can be traced with different kinds of packets. Better way is to >> use NAT between private and public networks. >> >> --Saturday, June 23, 2001, 2:32:10 AM, you wrote to a> freebsd-security@FreeBSD.ORG: >> >> a> is it possible to disable using ipfw so people won't be able to a> traceroute >> a> me? >> >> >> >> a> To Unsubscribe: send mail to majordomo@FreeBSD.org >> a> with "unsubscribe freebsd-security" in the body of the message >> >> >> -- >> ~/3APA3A >> ...без дубинки никогда не принимался он за программирование. (Лем) >> >> >> -- ~/3APA3A Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3181060651.20010626150813>