All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ramin Dousti <ramin@cannon.eng.us.uu.net>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>,
	netfilter@lists.netfilter.org
Subject: Re: TTL patch buggy?
Date: Thu, 8 Jan 2004 11:25:20 -0500	[thread overview]
Message-ID: <20040108162520.GA22229@cannon.eng.us.uu.net> (raw)
In-Reply-To: <1073548926.768.15.camel@elendil.intranet.cartel-securite.net>

On Thu, Jan 08, 2004 at 09:02:06AM +0100, Cedric Blancher wrote:

> Avoiding traceroutes can't be easily done by blocking consequences, as
> they are numerous. I mean you can do a traceroute using TCP as well (see
> tcptraceroute tool), or even using applications requests on UDP, such as
> a DNS request (useful to traceroute microsoft.com DNS server), or
> anything else that can trigger a valuable target response. In thoses
> cases, you really can't block final answer as it is a valid one.

traceroute based on application specific characteristics is, IMPV,
easier to prevent as one should know what applications are running internally
and who should have access to them. If its a public service, then,
it does exist and everyone is aware of it. To prevent the visibility
of the intermediate hops, increasing the TTL and/or blocking the ICMP
TTL exceeded is the solution.

> Moreover, if blocking echo-reply is no arm, blocking ICMP errors can
> have really bad side effects. If we look a bit closer, a well configured
> firewall should not let a packet destined to a closed UDP port go
> through...

Very good point.

> Letting conntrack deal with ICMP error is to me the best deal.
> 
> If you really want to prevent traceroute based discoveries, you just
> should raise packets TTL so they don't expire within your network for
> normal operations. So you'll add 2, 3, maybe 4 to the TTL, but not more.
> Resetting TTL to 255 is far too much if a loop appears.

Yes. but the original question was, "what if one doesn't know the depth
of the internal network".

> If you want to prevent discovery based on the TTL of packets you send,
> reset TTL for outbound traffic to a default value such as 64.

Yes, Harald had a comprehensive email, outlining different scenarios and
what to do in each case.

Ramin

> 
> -- 
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread! 


  reply	other threads:[~2004-01-08 16:25 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-02 15:02 TTL patch buggy? John A. Sullivan III
2004-01-06 18:56 ` Harald Welte
2004-01-06 22:18   ` John A. Sullivan III
2004-01-07 16:16     ` Henrik Nordstrom
2004-01-07 19:04       ` John A. Sullivan III
2004-01-07 19:18         ` Antony Stone
2004-01-07 20:44           ` Ramin Dousti
2004-01-07 19:35         ` Harald Welte
2004-01-07 20:07           ` John A. Sullivan III
2004-01-07 21:38             ` Ramin Dousti
2004-01-08  8:02               ` Cedric Blancher
2004-01-08 16:25                 ` Ramin Dousti [this message]
2004-01-08 19:17                   ` Cedric Blancher
2004-01-07 21:19           ` Ramin Dousti
2004-01-07 20:54             ` Henrik Nordstrom
2004-01-07 20:54               ` Henrik Nordstrom
2004-01-07 22:16               ` Ramin Dousti
2004-01-08  7:14                 ` Henrik Nordstrom
2004-01-08  7:14                   ` Henrik Nordstrom
2004-01-08 20:56                   ` Ramin Dousti
2004-01-07 20:36         ` Ramin Dousti
2004-01-07 19:31       ` Harald Welte
  -- strict thread matches above, loose matches on Subject: below --
2004-01-08 14:32 bmcdowell
2004-01-02 13:13 John A. Sullivan III
2004-01-02 14:27 ` Antony Stone

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040108162520.GA22229@cannon.eng.us.uu.net \
    --to=ramin@cannon.eng.us.uu.net \
    --cc=blancher@cartel-securite.fr \
    --cc=john.sullivan@nexusmgmt.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.