Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Jun 2001 15:17:21 -0400
From:      "alexus" <ml@db.nexgen.com>
To:        "Ryan Masse" <mail@max-info.net>
Cc:        <freebsd-security@freebsd.org>
Subject:   Re: disable traceroute to my host
Message-ID:  <001101c0ff3d$ca013aa0$01000001@book>
References:  <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home>

next in thread | previous in thread | raw e-mail | index | archive | help
sounds good.. although what is tcp there for?

----- Original Message -----
From: "Ryan Masse" <mail@max-info.net>
To: "alexus" <ml@db.nexgen.com>
Cc: <freebsd-security@freebsd.org>
Sent: Tuesday, June 26, 2001 6:59 PM
Subject: Re: disable traceroute to my host


> did u get my post about blackhole?
>
> man blackhole
> <snip>
>      In the UDP instance, enabling blackhole behaviour turns off the
sending
>      of an ICMP port unreachable message in response to a UDP datagram
which
>      arrives on a port where there is no socket listening.  It must be
noted
>      that this behaviour will prevent remote systems from running
>      traceroute(8) to your system.
> <snip>
>
> The following would enable the use of backhole of your system;
> sysctl -w net.inet.tcp.blackhole=2
> sysctl -w net.inet.udp.blackhole=1
>
> The above would block *nix traceroutes using the udp method. Simply use
ipfw
> icmptype to block all MS attempts
>
> Ryan
>
>
> > someone else using ttl=1? that's sux.. oh well i guess its imposible to
> > disable it.. cuz i dont want to block something that should work..
> >
> > thanks everyone
> >
> > ----- Original Message -----
> > From: "Peter Pentchev" <roam@orbitel.bg>
> > To: "alexus" <ml@db.nexgen.com>
> > Cc: "Simon Rakovec" <simon@inforta.com>; <freebsd-security@freebsd.org>
> > Sent: Tuesday, June 26, 2001 1:58 AM
> > Subject: Re: disable traceroute to my host
> >
> >
> > > On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote:
> > > > i agree this is not a solution.. looks like tty=1 is best solution
so
> > far
> > >
> > > TTL=1 is not a general solution, because it only blocks traceroutes to
> > this
> > > particular host, not to any machines that it is acting as a gateway
for.
> > >
> > > Moreover, TTL=1 is not a real-world solution, because some
*legitimate*
> > > packets might arrive with TTL=1 (yes, there are some OS's that set too
> > > low TTL's on outgoing packets, and there are some global backbone
ISP's
> > > which have a *lot* of routers, so it is possible that a normal packet
> > > destined for your host should reach you with TTL=1).
> > >
> > > And just btw..  Really, why do you want to block traceroutes?
> > >
> > > G'luck,
> > > Peter
> > >
> > > --
> > > because I didn't think of a good beginning of it.
> > >
> > > > ----- Original Message -----
> > > > From: "Peter Pentchev" <roam@orbitel.bg>
> > > > To: "Simon Rakovec" <simon@inforta.com>
> > > > Cc: <freebsd-security@freebsd.org>
> > > > Sent: Monday, June 25, 2001 2:37 AM
> > > > Subject: Re: disable traceroute to my host
> > > >
> > > >
> > > > > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote:
> > > > > > Try this:
> > > > > >
> > > > > > ipfw add deny udp from any 32769-65535 to <your-host>
33434-33523
> > > > >
> > > > > As Karsten noted in a followup, this is not proper network
practice.
> > > > > There might be a LOT of things listening on those UDP ports,
> including
> > > > > ephemeral outgoing UDP connections.
> > > > >
> > > > > As many other people noted, this does not stop Windows traceroute,
> > > > > which goes via ICMP.
> > > > >
> > > > > As the traceroute(8) manpage notes, this does not stop people who
> > > > > know how to use the traceroute '-p port' option to select a
starting
> > > > > port != 32768.
> > > > >
> > > > > As Dag-Erling Smoerdgrav noted, in general it is impossible to
> disable
> > > > > a person determined to traceroute you, and in practice, there is
> > > > > no need to.
> > > > >
> > > > > G'luck,
> > > > > Peter
> > > > >
> > > > > PS. How was that now... one source: plagiarism, two sources:
> > comparative
> > > > > study, three sources: an academic thesis..  I did even better than
> > that!
> > > > ;)
> > > > >
> > > > > --
> > > > > Thit sentence is not self-referential because "thit" is not a
word.
> > > > >
> > > > > > alexus wrote:
> > > > > > >
> > > > > > > is it possible to disable using ipfw so people won't be able
to
> > > > traceroute
> > > > > > > me?
> > >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c0ff3d$ca013aa0$01000001>