----- Original Message -----
From: "Jopoy C. Solano" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 30, 2003 3:54 PM
Subject: Re: [plug] OT: how to hide local routes
> The routers are linux boxes. My idea is that
> traceroute can be issued from any machine going through those
> routes without seeing the hops. My purpose is to hide them from the
> students :) hehehe
> ...for additonal security if possible.
if that the case you really wanted to do, then here are your two options for
linux OS:
1. hacking the kernel
a. edit /usr/src/<linux-kernel-version>/net/ip_forward.c
b. look for these two lines under int ip_forward(struct sk_buff *skb)
function
/* Decrease ttl after skb cow done */
ip_decrease_ttl(iph);
c. remark the last line... for example:
/* Decrease ttl after skb cow done */
/* ip_decrease_ttl(iph); */
d. recompile your kernel
2 . no hacking of kernel but putting a firewall... for example using
ipchains
ipchains -A output -p icmp -s <ip_address_of_your_server> --icmp-type
11 -j DENY
icmp type eleven is TIME EXCEED
for freebsd or *BSD users out there, just add to your kernel configuration
file with this option "options IPSTEALTH"
if you ask, why play with the TTL or time-to-live value in order to hide a
router along the path when using a traceroute program?
here is the algorithm of traceroute program (take note that traceroute of
unix is using udp while microsoft's traceroute is using icmp echo packet)
for unix traceroute program:
traceroute program will try to send the first packet with TTL value equals
to 1 with destination udp port starts with 32768... when the packet was sent
out from the host's interface and receive by the first router along the
path, the first router will decrement the TTL value... since the first
packet's TTL value is 1 and when the router decremented it, the value is
0... according to router's RFC, when TTL value is zero, the router must drop
the packet and send an icmp packet back to the sender with icmp type 11
(time exceeded) and either of code 0 (time to live exceeded in transit) or
code 1 (fragment reassembly time exceeded)... this icmp type 11 packet now
has the source ip address of the first router along the path in which the
traceroute program will print this as the first hop... after that, the
traceroute program will send the second packet with TTL value equals to 2
with the same destination udp port number 32768... now this second udp
packet will pass the first router and decremented it, the TTL value is now
1, because it is not zero, it will pass to the second router... the second
router will process the TTL value which turns into zero after processing
it... the same procedure as what the first router did a while ago by
dropping and sending an icmp type 11 packet back to the sender... now the
traceroute program determined the second hop and print it... by then the
traceroute program will process the third packet which the TTL value is 3
and increments it every time it sees an icmp type 11 packet and so on and so
forth....
according to router's RFC, only the router decrements the TTL value and not
the host... so what happen when this udp packet reaches to the final
destination and host cannot decrement the TTL value? since this packet is
using udp port 32768.. it will try to connect to that host... if that host
is not listening on that port, the host will send an icmp type 3
(destination unreachable) code 3 (port unreachable)... with this, the
traceroute program will print the final hop... so what happen if there is an
udp listening port 32768 on that host? the traceroute program will just
increase the udp port number 32768 one at a time until it sees an icmp type
3 code 3... or number of tries and give up because the host is down or the
link is broken...
for microsoft's traceroute, the same technique with unix's traceroute using
TTL to determined the number of hops along the path but instead it uses icmp
echo packet so that the final host destination will just reply an icmp reply
packet...
now you know how traceroute program works, you already understand why i
disable a function to decrement the ttl value of an ip header or putting a
firewall on it...
fooler.
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
