IP addresses may be obtained simply by knowing a target organization’s name. Since IP packets travel to its destination via different paths, it would be beneficial to learn about the gateways in between the source (yourself) and the destination host.
A command-line tool named traceroute may be used to perform traceroutes:
[bash]$ traceroute 10.0.0.1 traceroute to 10.0.0.1 (10.0.0.1), 30 hops max, 38 byte packets 1 yourisp.yourgateway.net (192.168.10.10) 13.069ms 8.099ms 10.133 ms 2 192.168.9.1 (192.168.9.1) 8.675ms 9.481ms 7.214ms 3 10.1.1.1 (10.1.1.1) 9.292ms 9.446ms 12.368ms 4 ns1.someexampleserver.net (10.0.0.1) 9.736ms 9.623ms 9.647ms
The traceroute program works by sending UDP packets to high ports on the destination with their TTL (Time to Live) values set to 1 initially and then incremented by 1 for every subsequent packet. Gateways decrement the TTL field of an IP packet by 1 before forwarding it along the route. If the TTL of an IP packet equals 0, then the particular gateway will send an “ICMP Time to Live Exceeded” packet back to the source. Thus, the traceroute tool determines the IP addresses of the gateways along the way to the destination by looking at the source of the Summary “ICMP Time to Live Exceeded” packets returned.
The traceroute tool sends UDP packets by default, but it can be made to use ICMP packets when run with the –I switch.
Sometimes, firewalls are configured to allow packets whose source port is 20 (FTP-Data) or 53 (DNS). The –p option in traceroute can therefore be used to set the source port of outgoing UDP packets in order to attempt to take advantage of such firewall rules.
Prevent Incoming Traceroute Requests
The following steps can be taken in order to prevent incoming traceroute requests from succeeding:
- Configure your firewall to drop incoming UDP and ICMP packets.
- Configure your firewall to drop outgoing “ICMP Time to Live Exceeded” packets.
- If you must allow incoming UDP packets for DNS, configure your firewall to allow only incoming UDP packets with source port 53 (DNS) originating from specific DNS server IP addresses.
Published on Thu 13 November 2008 by Dave Wilson in Linux with tag(s): traceroute