To stop pinging and traceroute from outside (Fabrice MARIE)

Joe Patterson jpatterson@asgardgroup.com
Thu, 20 Dec 2001 15:05:22 -0500 

I believe that's incorrect.  I believe that most traceroute implementations,
if they don't get a reply after some (usually 3) packets at a given ttl,
will increment up to the next higher ttl.  So the first few packets would
get to the firewall/router with ttl=1, be dropped, then the next ones would
get to the firewall/router with ttl=2, and be passed on.  I believe a
somewhat more effective method would be a rule like:

... -m ttl --ttl-lt $INTERNAL_NETWORK_DIAMETER -j DROP

but that still doesn't address the packet with a high enough ttl to actually
get to the host, and the return packet from that.  My understanding is that
the standard method of tracerouting is via incrementing ttl's on udp packets
to very high ports (>32K), then listening for either icmp-ttl-expired from
intermediate routers or icmp-port-unreachable from the destination host.
The Windows way is different, being incrementing ttl's on
icmp-echo-requests, and listening for icmp-ttl-expired or icmp-echo-reply.
The belt-and-suspenders method would be to block ttl's less than your
internal network diameter, icmp echo requests, and udp high ports (either
through an explicit rule or through a DROP policy).  That way an attacker
would have to use a traceroute that will allow you to specify port (and
possibly protocol) (i.e., hping), and all they would know is the upper bound
of your internal network diameter (the value in the
$INTERNAL_NETWORK_DIAMETER variable in the above command line.)

Of course, the other odd thing you could do is to mangle incoming ttl's.
Change all incoming ttl's to something higher than your internal network
diameter.  That would make your entire internal network dissappear from
traceroutes.  :)  It has the added advantage of not breaking things for
clients that are far away hop-wise.  It has the very bad disadvantage that
you have to make sure there is *absolutely* *positively* **NO** possiblity
of routing loops through your firewall.  Else the first looping packet will
saturate your internet link.  But this is possible if you're not a transit
network and you're doing paranoid ingress destination filtering.

-Joe

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Ian Jones
Sent: Thursday, December 20, 2001 2:24 PM
To: nour@nour.net
Cc: netfilter@lists.samba.org
Subject: Re: To stop pinging and traceroute from outside (Fabrice MARIE)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Darian Lanx" <nour@nour.net> writes:

> |>    1. Re: To stop pinging and traceroute from outside (Fabrice
> |> MARIE)
> |>
> |> You can drop incoming echo-requests to stop ping to your interface,
> |> and drop outgoing time-exeeded to drop reply to traceroute.
> Just a side note. Please do NOT drop time-exceeded packets if you are
> running services on the firewall or the firewall acts as a rpoxy to
> services running behind the firewall. The ICMP time-exceeded packet is
> crucial to proper funcvtion of daemon/client connections.

I think a better way of dealing with it is to use the TTL match to
DROP anything with TTL=1 at the firewall/router.

... -m ttl --ttl-eq 1 -j DROP

This will have the minor downside of a (very) few false positives, but
IMHO it is a better way to go.

It would still be possible to craft a mechanism whereby protected
hosts could be mapped, but the average traceroute would fail and only
report the hop prior to the firewall/router.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE8IjrmwBVKl/Nci0oRAk3NAKC5OMvBYjdVUClzp0EzRPFZqA2eBQCgll9w
RQRmhkjv/lV8afVx1hy4oWs=
=ftJ7
-----END PGP SIGNATURE-----