RE: How to deny traceroute?

From: Haohong Lin (hhlin@xxxxxxxxxx)
Date: Sun May 06 2001 - 10:42:46 GMT-3

   
Hi,
    I disagree of max port num 33434 + 255*3. you know, the default max ttl
is 30, NOT 255. you can check it via extended traceroute. :)

Haohong Lin

-----Original Message-----
From: forlab [mailto:forccielab@yahoo.com]
Sent: 2001 05 06 17:18
To: Haohong Lin
Subject: RE: How to deny traceroute?

Maybe you right, but my friend she use that just like you .
but The procotr say you ACL is error :(
 she take the lab at 4/20

henry

2001/05/06 15:49:01, "Haohong Lin" <hhlin@szskzj.com> wrote:

>
>I mean to use just 'gt 33433' for dest port, it'll be OK.
>
>an example of traceroute from Cisco CD - Internetwork Troubleshooting
>Guide - Troubleshooting TCP/IP as following:
>C4500#configure terminal
>C4500(config)#access-list 101 permit udp any any gt 33433
>C4500(config)#^Z
>C4500#
>%SYS-5-CONFIG_I: Configured from console by console
>C4500#show ip access-lists
>Extended IP access list 101
> permit tcp any any eq telnet
> permit icmp any any
> permit udp any any gt 33433
>C4500#
>
>detail description as following(from CCO: Using the traceroute
Command on
>Operating Systems):
>
>The TTL for the initial User Datagram Protocol (UDP) datagram probe
is set
>to 1 (or the minimum TTL, as specified by user in the extended
trace). The
>destination UDP port of the intitial datagram probe is set to 33434
(or as
>specified in the extended trace command output). The extended trace
command
>is a variation of the traceroute command. The source UDP port of the
initial
>datagram probe is randomised and has logical operator OR with 0x8000
>(ensuring a minimum source port of 0x8000). The following steps
illustrate
>what happens when the UDP datagram is lauched:
>
>Note: The parameters are configurable. In this example, we start with
n = 1
>and finish with n = 3.
>
>The UDP datagram is dispatched, TTL = 1.
>
>The UDP destination port is incremented, the source UDP port is
randomized,
>and the second datagram dispatched.
>
>Step 2 is repeated for up to three probes (or as many times as
requested in
>an extended trace command output). For each of the probes sent, you
should
>receive a "TTL exceeded" message, which is used to build a step by
step path
>to the destination host.
>
>TTL is incremented, and the cycle goes back to step 1 if the ICMP
"time
>exceeded" message is received. You may also get one of the following
>messages:
>
>An ICMP type 3, code 3 ("destination unreachable," "port
unreachable")
>message, indicating that a host has been reached.
>
>A "host unreachable," "net unreachable," "maximum TTL exceeded," or a
>"timeout" type of message, meaning that the probe is resent.
>Cisco routers send UDP probe packets with a random source port and an
>incremental destinaton port (to distinguish the different probes).
Cisco
>routers send the ICMP message "time to live exceeded in transit" with
the
>source address of the port from which the UDP/ICMP packet was
received.
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
>forlab
>Sent: 2001 05 06 14:20
>To: Rob Hopkins; Darren Ward
>Cc: Mas Kato; 'Dreams Ruan'; ccielab@groupstudy.com
>Subject: Re: How to deny traceroute?
>
>
>Thank you .
>
>I check it again , now, i agree with you .
>
>Good Luck
>
>2001/05/06 14:16:40, "Rob Hopkins" <rshopkins@earthlink.net> wrote:
>
>>but if it sends three packets per hop, shouldnt the max value be
>34199
>>
>>ie 3*255 = 765,
>>
>>min = 33434
>>max = min+765 = 34199
>>
>>Thanks,
>>
>>Rob Hopkins
>>
>>
>>
>>
>>
>>
>>
>>1.6180339887499
>>----- Original Message -----
>>From: "forlab" <forccielab@yahoo.com>
>>To: "Darren Ward" <dward@pla.net.au>
>>Cc: "Mas Kato" <tealp729@home.com>; "'Dreams Ruan'" <dreams_r@
>163.com>;
>><ccielab@groupstudy.com>
>>Sent: Sunday, May 06, 2001 1:30 AM
>>Subject: Re: How to deny traceroute?
>>
>>
>>> It's ease, the 33434 : when i use 'debug ip packet detail' , they
>>> are alwayse frome this udp port.
>>>
>>> the 33689: because they use TTL exceeded, so, they can't bigger
>than
>>> 33434 + 255
>>>
>>> good luck
>>>
>>>
>>> 2001/05/06 12:25:51, Darren Ward <dward@pla.net.au> wrote:
>>>
>>> >Hi,
>>> >
>>> >Where did you get the reference for those ports?
>>> >
>>> >Darren
>>> >
>>> >forlab wrote:
>>> >
>>> >> access-l 100 deny udp any any range 33434 33689
>>> >> inter s 0
>>> >> ip access-group 100 out
>>> >>
>>> >> Good Luck
>>> >>
>>> >> 2001/05/06 11:25:31, Mas Kato <tealp729@home.com> wrote:
>>> >>
>>> >> >Clarification: Intermediate hops return ICMP 'TTL-exceeded'
>>> messages
>>> >> and
>>> >> >the target returns an ICMP 'port-unreachable' message.
>>> >> >
>>> >> >From "Troubleshooting TCP/IP" on CCO:
>>> >> >
>>> >> >Traceroute
>>> >> >Traceroute sends out either ICMP echo request (Windows) or UDP
>>> (most
>>> >> >implementations) messages with gradually increasing IP TTL
>values
>>> to
>>> >> >probe the path by which a packet traverses the network. The
>first
>>> >> packet
>>> >> >with the TTL set to 1 will be discarded by the first hop. The
>>> first
>>> >> hop
>>> >> >will send back an ICMP TTL "exceeded message" sourced from its
>IP
>>> >> >address facing the source of the packet. When the machine
>running
>>> the
>>> >> >traceroute receives the ICMP TTL "exceeded message", it can
>>> determine
>>> >> >the hop via the source IP address. This continues until the
>>> >> destination
>>> >> >is reached. The destination will either return an ICMP echo
>reply
>>> >> >(Windows) or a ICMP "port unreachable" indicating that the
>>> >> destination
>>> >> >had been reached. The Cisco implementation of traceroute sends
>out
>>> 3
>>> >> >packets at each TTL value, allowing traceroute to report
>routers
>>> >> which
>>> >> >have multiple equal-cost paths to the destination.
>>> >> >
>>> >> >Sorry if I caused any confusion with my earlier message.
>>> >> >
>>> >> >Regards,
>>> >> >
>>> >> >Mas Kato
>>> >> >
>>> >> >-----Original Message-----
>>> >> >From: Mas Kato [mailto:tealp729@home.com]
>>> >> >Sent: Thursday, May 03, 2001 11:01 PM
>>> >> >To: 'Dreams Ruan'; 'ccielab@groupstudy.com'
>>> >> >Subject: RE: How to deny traceroute?
>>> >> >
>>> >> >
>>> >> >Cisco traceroute targets UDP ports starting at 33434 in the
>>> outbound
>>> >> >direction. The returns are ICMP 'port-unreachable' messages.
>>> >> >
>>> >> >I'm a little weak on other implementations of traceroute, but
>>> >> >interestingly enough, there is a 'traceroute' ICMP message-
>type.
>>> >> >Apparently, other implementations of traceroute may use this,
>>> along
>>> >> with
>>> >> >ICMP 'time-exceeded' and/or ICMP 'ttl-exceeded.'
>>> >> >
>>> >> >There's more in the archives...
>>> >> >
>>> >> >Regards,
>>> >> >
>>> >> >Mas Kato
>>> >> >
>>> >> >-----Original Message-----
>>> >> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
>>> Behalf
>>> >> Of
>>> >> >Dreams Ruan
>>> >> >Sent: Thursday, May 03, 2001 10:37 PM
>>> >> >To: ccielab@groupstudy.com
>>> >> >Subject: How to deny traceroute?
>>> >> >
>>> >> >
>>> >> >Hi,guys:
>>> >> >
>>> >> > How to set the access-list to deny traceroute packet ?
>Thanks!
>>> >> >
>>> >> >
>>> >> >
>>> >> > VB
>>> >> >@q#!
>>> >> >
>>> >> > Dreams Ruan
>>> >> > dreams_r@163.com
>>> >> >**Please read:http://www.groupstudy.com/list/posting.html
>>> >> >**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:35 GMT-3