Re: How to deny traceroute?

From: Darren Ward (dward@xxxxxxxxxx)
Date: Sun May 06 2001 - 01:25:51 GMT-3

• Next message: garry baker: "redistribution igrp/27 rip/28"
• Previous message: Rob Hopkins: "Re: How to deny traceroute?"
• Maybe in reply to: Dreams Ruan: "How to deny traceroute?"
• Next in thread: Zeng Puyang: "Re: How to deny traceroute?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi,

Where did you get the reference for those ports?

Darren

forlab wrote:

> access-l 100 deny udp any any range 33434 33689
> inter s 0
> ip access-group 100 out
>
> Good Luck
>
> 2001/05/06 11:25:31, Mas Kato <tealp729@home.com> wrote:
>
> >Clarification: Intermediate hops return ICMP 'TTL-exceeded' messages
> and
> >the target returns an ICMP 'port-unreachable' message.
> >
> >From "Troubleshooting TCP/IP" on CCO:
> >
> >Traceroute
> >Traceroute sends out either ICMP echo request (Windows) or UDP (most
> >implementations) messages with gradually increasing IP TTL values to
> >probe the path by which a packet traverses the network. The first
> packet
> >with the TTL set to 1 will be discarded by the first hop. The first
> hop
> >will send back an ICMP TTL "exceeded message" sourced from its IP
> >address facing the source of the packet. When the machine running the
> >traceroute receives the ICMP TTL "exceeded message", it can determine
> >the hop via the source IP address. This continues until the
> destination
> >is reached. The destination will either return an ICMP echo reply
> >(Windows) or a ICMP "port unreachable" indicating that the
> destination
> >had been reached. The Cisco implementation of traceroute sends out 3
> >packets at each TTL value, allowing traceroute to report routers
> which
> >have multiple equal-cost paths to the destination.
> >
> >Sorry if I caused any confusion with my earlier message.
> >
> >Regards,
> >
> >Mas Kato
> >
> >-----Original Message-----
> >From: Mas Kato [mailto:tealp729@home.com]
> >Sent: Thursday, May 03, 2001 11:01 PM
> >To: 'Dreams Ruan'; 'ccielab@groupstudy.com'
> >Subject: RE: How to deny traceroute?
> >
> >
> >Cisco traceroute targets UDP ports starting at 33434 in the outbound
> >direction. The returns are ICMP 'port-unreachable' messages.
> >
> >I'm a little weak on other implementations of traceroute, but
> >interestingly enough, there is a 'traceroute' ICMP message-type.
> >Apparently, other implementations of traceroute may use this, along
> with
> >ICMP 'time-exceeded' and/or ICMP 'ttl-exceeded.'
> >
> >There's more in the archives...
> >
> >Regards,
> >
> >Mas Kato
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
> Of
> >Dreams Ruan
> >Sent: Thursday, May 03, 2001 10:37 PM
> >To: ccielab@groupstudy.com
> >Subject: How to deny traceroute?
> >
> >
> >Hi,guys:
> >
> > How to set the access-list to deny traceroute packet ? Thanks!
> >
> >
> >
> > VB
> >@q#!
> >
> > Dreams Ruan
> > dreams_r@163.com
> >**Please read:http://www.groupstudy.com/list/posting.html
> >**Please read:http://www.groupstudy.com/list/posting.html

• Next message: garry baker: "redistribution igrp/27 rip/28"
• Previous message: Rob Hopkins: "Re: How to deny traceroute?"
• Maybe in reply to: Dreams Ruan: "How to deny traceroute?"
• Next in thread: Zeng Puyang: "Re: How to deny traceroute?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:34 GMT-3