Tom im looking for a way to block traceroute from displaying information about the system, The reason for this is that it supposedly can be used as in some form of DOS attack. example traceroute www.yahoo.com will list the following info. 1 66.7.129.217 (66.7.129.217) 42.709 ms 43.273 ms 41.471 ms 2 nycmny2wcx1-pos4-2.wcg.net (64.200.86.209) 44.670 ms 43.059 ms 37.997 ms 6 nycmny1wce1-pos5-0.wcg.net (65.77.98.29) 43.199 ms 38.336 ms 41.261 ms 3 * * * 4 * * * 5 washdc5lce1-oc48.wcg.net (64.200.95.145) 50.820 ms 48.245 ms 46.080 ms 6 washdc5lce1-yahoo-gige.wcg.net (64.200.95.58) 49.982 ms 50.240 ms 48.467 ms 7 ge-0-3-0.p37.msr2.dcn.yahoo.com (216.109.120.173) 44.644 ms 52.231 ms 45.841 ms 8 vl33.bas2-m.dcn.yahoo.com (216.109.120.154) 46.349 ms 48.885 ms 43.904 ms13 w5.www.dcn.yahoo.com (216.109.125.78) 49.986 ms 46.540 ms 48.723 ms I would like the firewall to actually not reply to this information. Im not sure how this is possible to do but supposedly it is possible. -- Nick Sklavenitis <sklav@sklav.com> Sklav Networks <www.sklav.com>
On Tue, 2003-07-01 at 05:27, Nick Sklavenitis wrote:> Tom im looking for a way to block traceroute from displaying information > about the system, The reason for this is that it supposedly can be used > as in some form of DOS attack.It is not clear to me what you are asking. Are you saying that you want to prevent the user community protected by your firewall from being able to use traceroute to gain information which may then be used by them in a DOS attack against a foreign system?> example traceroute www.yahoo.com will list the following info. > > 1 66.7.129.217 (66.7.129.217) 42.709 ms 43.273 ms 41.471 ms > 2 nycmny2wcx1-pos4-2.wcg.net (64.200.86.209) 44.670 ms 43.059 ms > 37.997 ms > 6 nycmny1wce1-pos5-0.wcg.net (65.77.98.29) 43.199 ms 38.336 ms > 41.261 ms > 3 * * * > 4 * * * > 5 washdc5lce1-oc48.wcg.net (64.200.95.145) 50.820 ms 48.245 ms > 46.080 ms > 6 washdc5lce1-yahoo-gige.wcg.net (64.200.95.58) 49.982 ms 50.240 ms > 48.467 > ms > 7 ge-0-3-0.p37.msr2.dcn.yahoo.com (216.109.120.173) 44.644 ms 52.231 > ms 45.841 ms > 8 vl33.bas2-m.dcn.yahoo.com (216.109.120.154) 46.349 ms 48.885 ms > 43.904 ms13 w5.www.dcn.yahoo.com (216.109.125.78) 49.986 ms 46.540 > ms 48.723 ms > > I would like the firewall to actually not reply to this information. Im > not sure how this is possible to do but supposedly it is possible.I''m not sure what you mean by "reply to this information". Could you elaborate? What exactly is your goal? Regards, Ed -- http://www.shorewall.net Shorewall, for all your firewall needs -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: This is a digitally signed message part Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030630/0ebc433b/attachment.bin
On 01 Jul 2003 07:57:01 +0800, Ed Greshko <Ed.Greshko@greshko.com> wrote:> On Tue, 2003-07-01 at 05:27, Nick Sklavenitis wrote: >> Tom im looking for a way to block traceroute from displaying information >> about the system, The reason for this is that it supposedly can be used >> as in some form of DOS attack. > > It is not clear to me what you are asking. >I''ve been corresponding privately with Nick and *I''m* still not clear. Guess I''ll take a shotgun approach: a) There are two flavors of ICMP. Once uses ping (icmp type 8) request packets with varying TTL and the other uses UDP request packets with varying port and TTL. The port varies with the TTL with the base port being 33434. b) Traceroute works by watching for TTL Time Exceeded (and other) ICMP replies -- the source IP address in the reply is the IP address of the system "TTL" hoops from the client. c) If you disable "ping" from the net, then your firewall won''t respond to either type of ''traceroute'' probes from the net. d) You can disable ''traceroute'' from the firewall and from behind it by adding the following entry to /etc/shorewall/blacklist (be sure to set the ''blacklist'' option on your external interface in /etc/shorewall/interfaces) . 0.0.0.0/0 icmp ttl-zero-during-transit This stops the ICMP replies that traceroute relies on. Of course it also disables all forms of TTL-exceeded detection so you may be creating other types of wierd timeout problems -- your choice but don''t whine here... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 30 Jun 2003 17:18:28 -0700, Tom Eastep <teastep@shorewall.net> wrote:> On 01 Jul 2003 07:57:01 +0800, Ed Greshko <Ed.Greshko@greshko.com> wrote: >> > a) There are two flavors of ICMP.Make that "There are two flavors of traceroute" -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net