----- Original Message ----- From: "Jopoy C. Solano" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 30, 2003 6:29 PM Subject: Re: [plug] OT: how to hide local routes
> thanks for the elaborate insight :) > > From what i understand this will display "destination unreachable" or > "Request timeout" yes this is for number 2 option by using a firewall... no destination unreachable here but a request timeout when the packet reaches your router's box with a TTL value of 1... upon request timeout, some of the *smart* traceroute program tries to proceed with the next TTL value (TTL + 1) to determine the next hop because this smart traceroute program assume that there is a smart router hiding from traceroute program.... > I has hoping to hide the route :) it will appear > to the one executing traceroute or tracert that > everything's just normal. (no timeouts between the hops and the destination) then use option number 1 :-> fooler. > > 'jopoy > > > > > fooler said: > > ----- Original Message ----- > > From: "Jopoy C. Solano" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, January 30, 2003 3:54 PM > > Subject: Re: [plug] OT: how to hide local routes > > > > > >> The routers are linux boxes. My idea is that > >> traceroute can be issued from any machine going through those > >> routes without seeing the hops. My purpose is to hide them from the > >> students :) hehehe > >> ...for additonal security if possible. > > > > if that the case you really wanted to do, then here are your two options > > for linux OS: > > > > 1. hacking the kernel > > > > a. edit /usr/src/<linux-kernel-version>/net/ip_forward.c > > b. look for these two lines under int ip_forward(struct sk_buff > > *skb) > > function > > > > /* Decrease ttl after skb cow done */ > > ip_decrease_ttl(iph); > > > > c. remark the last line... for example: > > > > /* Decrease ttl after skb cow done */ > > /* ip_decrease_ttl(iph); */ > > > > d. recompile your kernel > > > > 2 . no hacking of kernel but putting a firewall... for example using > > ipchains > > > > ipchains -A output -p icmp -s <ip_address_of_your_server> > > --icmp-type > > 11 -j DENY > > > > icmp type eleven is TIME EXCEED > > > > for freebsd or *BSD users out there, just add to your kernel > > configuration file with this option "options IPSTEALTH" > > > > if you ask, why play with the TTL or time-to-live value in order to hide > > a router along the path when using a traceroute program? > > > > here is the algorithm of traceroute program (take note that traceroute > > of unix is using udp while microsoft's traceroute is using icmp echo > > packet) > > > > for unix traceroute program: > > > > traceroute program will try to send the first packet with TTL value > > equals to 1 with destination udp port starts with 32768... when the > > packet was sent out from the host's interface and receive by the first > > router along the path, the first router will decrement the TTL value... > > since the first packet's TTL value is 1 and when the router decremented > > it, the value is 0... according to router's RFC, when TTL value is zero, > > the router must drop the packet and send an icmp packet back to the > > sender with icmp type 11 (time exceeded) and either of code 0 (time to > > live exceeded in transit) or code 1 (fragment reassembly time > > exceeded)... this icmp type 11 packet now has the source ip address of > > the first router along the path in which the traceroute program will > > print this as the first hop... after that, the traceroute program will > > send the second packet with TTL value equals to 2 with the same > > destination udp port number 32768... now this second udp packet will > > pass the first router and decremented it, the TTL value is now 1, > > because it is not zero, it will pass to the second router... the second > > router will process the TTL value which turns into zero after processing > > it... the same procedure as what the first router did a while ago by > > dropping and sending an icmp type 11 packet back to the sender... now > > the traceroute program determined the second hop and print it... by then > > the traceroute program will process the third packet which the TTL value > > is 3 and increments it every time it sees an icmp type 11 packet and so > > on and so forth.... > > > > according to router's RFC, only the router decrements the TTL value and > > not the host... so what happen when this udp packet reaches to the final > > destination and host cannot decrement the TTL value? since this packet > > is using udp port 32768.. it will try to connect to that host... if that > > host is not listening on that port, the host will send an icmp type 3 > > (destination unreachable) code 3 (port unreachable)... with this, the > > traceroute program will print the final hop... so what happen if there > > is an udp listening port 32768 on that host? the traceroute program will > > just increase the udp port number 32768 one at a time until it sees an > > icmp type 3 code 3... or number of tries and give up because the host is > > down or the link is broken... > > > > for microsoft's traceroute, the same technique with unix's traceroute > > using TTL to determined the number of hops along the path but instead it > > uses icmp echo packet so that the final host destination will just reply > > an icmp reply packet... > > > > now you know how traceroute program works, you already understand why i > > disable a function to decrement the ttl value of an ip header or putting > > a firewall on it... > > > > fooler. > > > > > > _ > > Philippine Linux Users Group. Web site and archives at > > http://plug.linux.org.ph To leave: send "unsubscribe" in the body to > > [EMAIL PROTECTED] > > > > Fully Searchable Archives With Friendly Web Interface at > > http://marc.free.net.ph > > > > To subscribe to the Linux Newbies' List: send "subscribe" in the body to > > [EMAIL PROTECTED] > > > > _ > Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph > To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] > > Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph > > To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED] _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
