RE: How to deny traceroute?

From: forlab (forccielab@xxxxxxxxx)
Date: Sun May 06 2001 - 00:45:35 GMT-3

• Next message: Rob Hopkins: "Re: How to deny traceroute?"
• Previous message: Mas Kato: "RE: How to deny traceroute?"
• Maybe in reply to: Clifton Stewart: "How to deny traceroute?"
• Next in thread: forlab: "Re: How to deny traceroute?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
access-l 100 deny udp any any range 33434 33689
inter s 0
  ip access-group 100 out

Good Luck

2001/05/06 11:25:31, Mas Kato <tealp729@home.com> wrote:

>Clarification: Intermediate hops return ICMP 'TTL-exceeded' messages
and
>the target returns an ICMP 'port-unreachable' message.
>
>From "Troubleshooting TCP/IP" on CCO:
>
>Traceroute
>Traceroute sends out either ICMP echo request (Windows) or UDP (most
>implementations) messages with gradually increasing IP TTL values to
>probe the path by which a packet traverses the network. The first
packet
>with the TTL set to 1 will be discarded by the first hop. The first
hop
>will send back an ICMP TTL "exceeded message" sourced from its IP
>address facing the source of the packet. When the machine running the
>traceroute receives the ICMP TTL "exceeded message", it can determine
>the hop via the source IP address. This continues until the
destination
>is reached. The destination will either return an ICMP echo reply
>(Windows) or a ICMP "port unreachable" indicating that the
destination
>had been reached. The Cisco implementation of traceroute sends out 3
>packets at each TTL value, allowing traceroute to report routers
which
>have multiple equal-cost paths to the destination.
>
>Sorry if I caused any confusion with my earlier message.
>
>Regards,
>
>Mas Kato
>
>-----Original Message-----
>From: Mas Kato [mailto:tealp729@home.com]
>Sent: Thursday, May 03, 2001 11:01 PM
>To: 'Dreams Ruan'; 'ccielab@groupstudy.com'
>Subject: RE: How to deny traceroute?
>
>
>Cisco traceroute targets UDP ports starting at 33434 in the outbound
>direction. The returns are ICMP 'port-unreachable' messages.
>
>I'm a little weak on other implementations of traceroute, but
>interestingly enough, there is a 'traceroute' ICMP message-type.
>Apparently, other implementations of traceroute may use this, along
with
>ICMP 'time-exceeded' and/or ICMP 'ttl-exceeded.'
>
>There's more in the archives...
>
>Regards,
>
>Mas Kato
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
>Dreams Ruan
>Sent: Thursday, May 03, 2001 10:37 PM
>To: ccielab@groupstudy.com
>Subject: How to deny traceroute?
>
>
>Hi,guys:
>
> How to set the access-list to deny traceroute packet ? Thanks!
>
>
>
> VB
>@q#!
>
> Dreams Ruan
> dreams_r@163.com
>**Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Rob Hopkins: "Re: How to deny traceroute?"
• Previous message: Mas Kato: "RE: How to deny traceroute?"
• Maybe in reply to: Clifton Stewart: "How to deny traceroute?"
• Next in thread: forlab: "Re: How to deny traceroute?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:34 GMT-3