From: Haohong Lin (hhlin@xxxxxxxxxx)
Date: Sun May 06 2001 - 04:49:01 GMT-3
I mean to use just 'gt 33433' for dest port, it'll be OK.
an example of traceroute from Cisco CD - Internetwork Troubleshooting
Guide - Troubleshooting TCP/IP as following:
C4500#configure terminal
C4500(config)#access-list 101 permit udp any any gt 33433
C4500(config)#^Z
C4500#
%SYS-5-CONFIG_I: Configured from console by console
C4500#show ip access-lists
Extended IP access list 101
permit tcp any any eq telnet
permit icmp any any
permit udp any any gt 33433
C4500#
detail description as following(from CCO: Using the traceroute Command on
Operating Systems):
The TTL for the initial User Datagram Protocol (UDP) datagram probe is set
to 1 (or the minimum TTL, as specified by user in the extended trace). The
destination UDP port of the intitial datagram probe is set to 33434 (or as
specified in the extended trace command output). The extended trace command
is a variation of the traceroute command. The source UDP port of the initial
datagram probe is randomised and has logical operator OR with 0x8000
(ensuring a minimum source port of 0x8000). The following steps illustrate
what happens when the UDP datagram is lauched:
Note: The parameters are configurable. In this example, we start with n = 1
and finish with n = 3.
The UDP datagram is dispatched, TTL = 1.
The UDP destination port is incremented, the source UDP port is randomized,
and the second datagram dispatched.
Step 2 is repeated for up to three probes (or as many times as requested in
an extended trace command output). For each of the probes sent, you should
receive a "TTL exceeded" message, which is used to build a step by step path
to the destination host.
TTL is incremented, and the cycle goes back to step 1 if the ICMP "time
exceeded" message is received. You may also get one of the following
messages:
An ICMP type 3, code 3 ("destination unreachable," "port unreachable")
message, indicating that a host has been reached.
A "host unreachable," "net unreachable," "maximum TTL exceeded," or a
"timeout" type of message, meaning that the probe is resent.
Cisco routers send UDP probe packets with a random source port and an
incremental destinaton port (to distinguish the different probes). Cisco
routers send the ICMP message "time to live exceeded in transit" with the
source address of the port from which the UDP/ICMP packet was received.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
forlab
Sent: 2001 05 06 14:20
To: Rob Hopkins; Darren Ward
Cc: Mas Kato; 'Dreams Ruan'; ccielab@groupstudy.com
Subject: Re: How to deny traceroute?
Thank you .
I check it again , now, i agree with you .
Good Luck
2001/05/06 14:16:40, "Rob Hopkins" <rshopkins@earthlink.net> wrote:
>but if it sends three packets per hop, shouldnt the max value be
34199
>
>ie 3*255 = 765,
>
>min = 33434
>max = min+765 = 34199
>
>Thanks,
>
>Rob Hopkins
>
>
>
>
>
>
>
>1.6180339887499
>----- Original Message -----
>From: "forlab" <forccielab@yahoo.com>
>To: "Darren Ward" <dward@pla.net.au>
>Cc: "Mas Kato" <tealp729@home.com>; "'Dreams Ruan'" <dreams_r@
163.com>;
><ccielab@groupstudy.com>
>Sent: Sunday, May 06, 2001 1:30 AM
>Subject: Re: How to deny traceroute?
>
>
>> It's ease, the 33434 : when i use 'debug ip packet detail' , they
>> are alwayse frome this udp port.
>>
>> the 33689: because they use TTL exceeded, so, they can't bigger
than
>> 33434 + 255
>>
>> good luck
>>
>>
>> 2001/05/06 12:25:51, Darren Ward <dward@pla.net.au> wrote:
>>
>> >Hi,
>> >
>> >Where did you get the reference for those ports?
>> >
>> >Darren
>> >
>> >forlab wrote:
>> >
>> >> access-l 100 deny udp any any range 33434 33689
>> >> inter s 0
>> >> ip access-group 100 out
>> >>
>> >> Good Luck
>> >>
>> >> 2001/05/06 11:25:31, Mas Kato <tealp729@home.com> wrote:
>> >>
>> >> >Clarification: Intermediate hops return ICMP 'TTL-exceeded'
>> messages
>> >> and
>> >> >the target returns an ICMP 'port-unreachable' message.
>> >> >
>> >> >From "Troubleshooting TCP/IP" on CCO:
>> >> >
>> >> >Traceroute
>> >> >Traceroute sends out either ICMP echo request (Windows) or UDP
>> (most
>> >> >implementations) messages with gradually increasing IP TTL
values
>> to
>> >> >probe the path by which a packet traverses the network. The
first
>> >> packet
>> >> >with the TTL set to 1 will be discarded by the first hop. The
>> first
>> >> hop
>> >> >will send back an ICMP TTL "exceeded message" sourced from its
IP
>> >> >address facing the source of the packet. When the machine
running
>> the
>> >> >traceroute receives the ICMP TTL "exceeded message", it can
>> determine
>> >> >the hop via the source IP address. This continues until the
>> >> destination
>> >> >is reached. The destination will either return an ICMP echo
reply
>> >> >(Windows) or a ICMP "port unreachable" indicating that the
>> >> destination
>> >> >had been reached. The Cisco implementation of traceroute sends
out
>> 3
>> >> >packets at each TTL value, allowing traceroute to report
routers
>> >> which
>> >> >have multiple equal-cost paths to the destination.
>> >> >
>> >> >Sorry if I caused any confusion with my earlier message.
>> >> >
>> >> >Regards,
>> >> >
>> >> >Mas Kato
>> >> >
>> >> >-----Original Message-----
>> >> >From: Mas Kato [mailto:tealp729@home.com]
>> >> >Sent: Thursday, May 03, 2001 11:01 PM
>> >> >To: 'Dreams Ruan'; 'ccielab@groupstudy.com'
>> >> >Subject: RE: How to deny traceroute?
>> >> >
>> >> >
>> >> >Cisco traceroute targets UDP ports starting at 33434 in the
>> outbound
>> >> >direction. The returns are ICMP 'port-unreachable' messages.
>> >> >
>> >> >I'm a little weak on other implementations of traceroute, but
>> >> >interestingly enough, there is a 'traceroute' ICMP message-
type.
>> >> >Apparently, other implementations of traceroute may use this,
>> along
>> >> with
>> >> >ICMP 'time-exceeded' and/or ICMP 'ttl-exceeded.'
>> >> >
>> >> >There's more in the archives...
>> >> >
>> >> >Regards,
>> >> >
>> >> >Mas Kato
>> >> >
>> >> >-----Original Message-----
>> >> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
>> Behalf
>> >> Of
>> >> >Dreams Ruan
>> >> >Sent: Thursday, May 03, 2001 10:37 PM
>> >> >To: ccielab@groupstudy.com
>> >> >Subject: How to deny traceroute?
>> >> >
>> >> >
>> >> >Hi,guys:
>> >> >
>> >> > How to set the access-list to deny traceroute packet ?
Thanks!
>> >> >
>> >> >
>> >> >
>> >> > VB
>> >> >@q#!
>> >> >
>> >> > Dreams Ruan
>> >> > dreams_r@163.com
>> >> >**Please read:http://www.groupstudy.com/list/posting.html
>> >> >**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:35 GMT-3