Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 23 Jun 2001 11:13:08 +0700
From:      Igor Podlesny <poige@morning.ru>
To:        "alexus" <ml@db.nexgen.com>
Cc:        freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG
Subject:   Re: disable traceroute to my host
Message-ID:  <13760134158.20010623111308@morning.ru>
In-Reply-To: <006a01c0fb6b$2d64d830$9865fea9@book>
References:  <006a01c0fb6b$2d64d830$9865fea9@book>
next in thread | previous in thread | raw e-mail | index | archive | help 

> is it possible to disable using ipfw so people won't be able to traceroute
> me?

Yes, of course.

You should know how do traceroute-like utilities work.

The  knowledge can be easily extracted from a lot of sources, for e.g.
from  Internet,  cause you seem to be connected ;) but, it also should
be  mentioned  that  man pages coming with FreeBSD (I guess as well as
with other *NIX-likes OSes) also describe the algo.

so man traceroute says, that it uses udp ports starting with 33434 and
goes  up  with every new hop. but this could be easily changed with -p
option.  Besides,  windows'  tracert  works  using  icmp proto, so the
decision isn't here. It lies in what does the box do when answering to
them.  It  does send 'time exceeded in-transit' icmp message cause TTL
value  is  set  too  low  to let the packet jump forward. So it is the
answer  --  you should disallow it with your ipfw. for e.g. using such
syntax:

deny icmp from any to any icmptype 11

(yeah,  you  should  carefully  think  about whether or not to use ANY
cause  if  you're  box  is  a  gateway  other  people will notice your
cutting-edge knowledge cause it will hide not only your host ;)

This  is not the end, alas. unix traceroute will wait for port unreach
icmp  so  after  meeting,  it stops and displays the end-point of your
trace.  Windows'  tracert will wait for normal icmp-echo-reply for the
same  purpose.  So if you also wish to hide the end point, you need to
disallow  this also. I bet you can figure out the way how by yourself,
now.

P.S.  there  are  also other ways (even more elegant) of doing that in
practice...  they  called 'stealth routing' and can be implemented via
FreeBSD  kernel  mechanism  (sysctl + built-in kernel support) or with
ipf (ipfilter)

read the man pages, man, they are freely available...

-- 
 Igor                            mailto:poige@morning.ru
                                 http://poige.nm.ru



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13760134158.20010623111308>