Date: Mon, 25 Jun 2001 15:56:21 -0400 From: "alexus" <ml@db.nexgen.com> To: "Brian" <bri@sonicboom.org>, "Jewfish" <jewfish@jewfish.net>, "Igor Podlesny" <poige@morning.ru> Cc: <freebsd-security@FreeBSD.ORG>, <freebsd-isp@FreeBSD.ORG> Subject: Re: disable traceroute to my host Message-ID: <01ae01c0fdb0$e7eb8fe0$9865fea9@book> References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> <003d01c0fc30$053716a0$3324200a@sonicboom.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_01AB_01C0FD8F.60AF3660 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable well basically i wanted to block all traceroute .. wither its windows or = unix ----- Original Message -----=20 From: Brian=20 To: Jewfish ; Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 6:01 PM Subject: Re: disable traceroute to my host Arent u leaving out some details, like for example windows tracert is = icmp based, whereas unix traces are udp.. Bri ----- Original Message -----=20 From: Jewfish=20 To: Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 12:32 PM Subject: Re: disable traceroute to my host These are the rules I have come up with on my own firewall to = disable tracerouting and pinging (something which might not be for = everybody), but allows me to traceroute and pring from the host and = recieve all the responses: allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18 allow icmp from any to any out xmit ep0 icmptype 8 ep0 being, of course, my external interface. This seems to qork = quite well for me. Some other ideas were brought up about denying the = "time-to-live-exceeded" icmptype (11) because of packets that may take a = long time to reach the host. However, this is the easiest method I = could come up with using firewall rules. Obviously, these rules also deny ping traffic, which is not = recommended for everyone. However, I have recently gotten a lot of ping = floods, so I enacted this (possibly on a temporary basis) to deal with = this, while still allowing me to ping out (icmptype 8) and recieve the = replies (icmptype 0). James Igor Podlesny wrote: is it possible to disable using ipfw so people won't be able to = tracerouteme? Yes, of course.You should know how do traceroute-like utilities work.The = knowledge can be easily extracted from a lot of sources, for e.g.from = Internet, cause you seem to be connected ;) but, it also shouldbe = mentioned that man pages coming with FreeBSD (I guess as well aswith = other *NIX-likes OSes) also describe the algo.so man traceroute says, = that it uses udp ports starting with 33434 andgoes up with every new = hop. but this could be easily changed with -poption. Besides, windows' = tracert works using icmp proto, so thedecision isn't here. It lies = in what does the box do when answering tothem. It does send 'time = exceeded in-transit' icmp message cause TTLvalue is set too low to = let the packet jump forward. So it is theanswer -- you should disallow = it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any = icmptype 11(yeah, you shou! ld carefully think about whether or not to use ANYcause if you're = box is a gateway other people will notice yourcutting-edge = knowledge cause it will hide not only your host ;)This is not the end, = alas. unix traceroute will wait for port unreachicmp so after = meeting, it stops and displays the end-point of yourtrace. Windows' = tracert will wait for normal icmp-echo-reply for thesame purpose. So = if you also wish to hide the end point, you need todisallow this also. = I bet you can figure out the way how by yourself,now.P.S. there are = also other ways (even more elegant) of doing that inpractice... they = called 'stealth routing' and can be implemented viaFreeBSD kernel = mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read = the man pages, man, they are freely available... ------=_NextPart_000_01AB_01C0FD8F.60AF3660 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4616.200" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT size=3D2>well basically i wanted to block all traceroute .. = wither its=20 windows or unix</FONT></DIV> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Dbri@sonicboom.org = href=3D"mailto:bri@sonicboom.org">Brian</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A = title=3Djewfish@jewfish.net=20 href=3D"mailto:jewfish@jewfish.net">Jewfish</A> ; <A = title=3Dpoige@morning.ru=20 href=3D"mailto:poige@morning.ru">Igor Podlesny</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A title=3Dml@db.nexgen.com = href=3D"mailto:ml@db.nexgen.com">alexus</A> ; <A=20 title=3Dfreebsd-security@FreeBSD.ORG=20 = href=3D"mailto:freebsd-security@FreeBSD.ORG">freebsd-security@FreeBSD.ORG= </A> ;=20 <A title=3Dfreebsd-isp@FreeBSD.ORG=20 href=3D"mailto:freebsd-isp@FreeBSD.ORG">freebsd-isp@FreeBSD.ORG</A> = </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, June 23, 2001 = 6:01=20 PM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: disable traceroute = to my=20 host</DIV> <DIV><BR></DIV> <DIV><FONT face=3DArial size=3D2>Arent u leaving out some details, = like for=20 example windows tracert is icmp based, whereas unix traces are=20 udp..</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2> Bri</FONT></DIV> <BLOCKQUOTE=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Djewfish@jewfish.net = href=3D"mailto:jewfish@jewfish.net">Jewfish</A>=20 </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A = title=3Dpoige@morning.ru=20 href=3D"mailto:poige@morning.ru">Igor Podlesny</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A = title=3Dml@db.nexgen.com=20 href=3D"mailto:ml@db.nexgen.com">alexus</A> ; <A=20 title=3Dfreebsd-security@FreeBSD.ORG=20 = href=3D"mailto:freebsd-security@FreeBSD.ORG">freebsd-security@FreeBSD.ORG= </A>=20 ; <A title=3Dfreebsd-isp@FreeBSD.ORG=20 href=3D"mailto:freebsd-isp@FreeBSD.ORG">freebsd-isp@FreeBSD.ORG</A> = </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, June 23, 2001 = 12:32=20 PM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: disable = traceroute to my=20 host</DIV> <DIV><BR></DIV>These are the rules I have come up with on my own = firewall to=20 disable tracerouting and pinging (something which might not be for=20 everybody), but allows me to traceroute and pring from the host and = recieve=20 all the responses:<BR><BR>allow icmp from any to any in recv ep0 = icmptype=20 0,3,11,14,16,18<BR>allow icmp from any to any out xmit ep0 icmptype=20 8<BR><BR>ep0 being, of course, my external interface. This = seems to=20 qork quite well for me. Some other ideas were brought up about = denying=20 the "time-to-live-exceeded" icmptype (11) because of packets that = may take a=20 long time to reach the host. However, this is the easiest = method I=20 could come up with using firewall rules.<BR><BR>Obviously, these = rules also=20 deny ping traffic, which is not recommended for everyone. = However, I=20 have recently gotten a lot of ping floods, so I enacted this = (possibly on a=20 temporary basis) to deal with this, while still allowing me to ping = out=20 (icmptype 8) and recieve the replies (icmptype = 0).<BR><BR>James<BR><BR>Igor=20 Podlesny wrote:<BR> <BLOCKQUOTE type=3D"cite" = cite=3D"mid:13760134158.20010623111308@morning.ru"> <BLOCKQUOTE type=3D"cite"><PRE wrap=3D"">is it possible to disable = using ipfw so people won't be able to = traceroute<BR>me?<BR></PRE></BLOCKQUOTE><PRE wrap=3D""><!----><BR>Yes, = of course.<BR><BR>You should know how do traceroute-like utilities = work.<BR><BR>The knowledge can be easily extracted from a lot of = sources, for e.g.<BR>from Internet, cause you seem to be connected ;) = but, it also should<BR>be mentioned that man pages coming with = FreeBSD (I guess as well as<BR>with other *NIX-likes OSes) also describe = the algo.<BR><BR>so man traceroute says, that it uses udp ports starting = with 33434 and<BR>goes up with every new hop. but this could be easily = changed with -p<BR>option. Besides, windows' tracert works using = icmp proto, so the<BR>decision isn't here. It lies in what does the box = do when answering to<BR>them. It does send 'time exceeded in-transit' = icmp message cause TTL<BR>value is set too low to let the packet = jump forward. So it is the<BR>answer -- you should disallow it with = your ipfw. for e.g. using such<BR>syntax:<BR><BR>deny icmp from any to = any icmptype 11<BR><BR>(yeah, you shou! ld carefully think about whether or not to use ANY<BR>cause if = you're box is a gateway other people will notice = your<BR>cutting-edge knowledge cause it will hide not only your host = ;)<BR><BR>This is not the end, alas. unix traceroute will wait for port = unreach<BR>icmp so after meeting, it stops and displays the = end-point of your<BR>trace. Windows' tracert will wait for normal = icmp-echo-reply for the<BR>same purpose. So if you also wish to hide = the end point, you need to<BR>disallow this also. I bet you can figure = out the way how by yourself,<BR>now.<BR><BR>P.S. there are also other = ways (even more elegant) of doing that in<BR>practice... they called = 'stealth routing' and can be implemented via<BR>FreeBSD kernel = mechanism (sysctl + built-in kernel support) or with<BR>ipf = (ipfilter)<BR><BR>read the man pages, man, they are freely = available...<BR><BR></PRE></BLOCKQUOTE><BR></BLOCKQUOTE></BLOCKQUOTE></BO= DY></HTML> ------=_NextPart_000_01AB_01C0FD8F.60AF3660-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01ae01c0fdb0$e7eb8fe0$9865fea9>