Playing nice with incoming traceroutes

Playing nice with incoming traceroutes

[Curby]

Hello, I'm considering allowing inbound traceroutes to find me, in the
interest of being a good Internet citizen.  I could simply open the
right udp ports, but i'd rather more tightly control what's allowed
than simply opening them up entirely.  Thus I'm considering something
like the following.  Should it meet my expectations of responding
appropriately to traceroutes but otherwise not letting traffic
through?

-A INPUT -p udp --dport 33434:33534 -m ttl --ttl-eq 1 -j REJECT
--reject-with icmp-port-unreachable

I'm using ttl-eq 1 because that's the lowest TTL that showed up in my
netfilter logs when I tried to traceroute my machine earlier.  In
other words, I don't think I should use 0, but am willing to be
convinced otherwise.

Also, I'm a little unsure if I should be using another ICMP code when
I send the REJECT packet.  But port unreachable seemed reasonable. =)

Thanks!

--Mike

Re: Playing nice with incoming traceroutes

[Pieter Smit]

You would send an ICMP time exceeded (type 11) packet if you receive a
packet with a ttl=1 you will decrement it one realize it is 0 and send
the ICMP time exceeded.

Traceroute could also use ping ICMP echo request (type 8).

Pieter


On Fri, May 14, 2010 at 11:17 PM, Curby <curby@cur.by> wrote:
> Hello, I'm considering allowing inbound traceroutes to find me, in the
> interest of being a good Internet citizen.  I could simply open the
> right udp ports, but i'd rather more tightly control what's allowed
> than simply opening them up entirely.  Thus I'm considering something
> like the following.  Should it meet my expectations of responding
> appropriately to traceroutes but otherwise not letting traffic
> through?
>
> -A INPUT -p udp --dport 33434:33534 -m ttl --ttl-eq 1 -j REJECT
> --reject-with icmp-port-unreachable
>
> I'm using ttl-eq 1 because that's the lowest TTL that showed up in my
> netfilter logs when I tried to traceroute my machine earlier.  In
> other words, I don't think I should use 0, but am willing to be
> convinced otherwise.
>
> Also, I'm a little unsure if I should be using another ICMP code when
> I send the REJECT packet.  But port unreachable seemed reasonable. =)
>
> Thanks!
>
> --Mike
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Playing nice with incoming traceroutes

[Bill Bogstad]

On Sat, May 15, 2010 at 12:51 PM, Pieter Smit <mlist2010@vigor.co.za> wrote:
> You would send an ICMP time exceeded (type 11) packet if you receive a
> packet with a ttl=1 you will decrement it one realize it is 0 and send
> the ICMP time exceeded.
>
> Traceroute could also use ping ICMP echo request (type 8).

Or TCP SYN packets.  From "man traceroute" on my Ubuntu system:

       -I     Use ICMP ECHO for probes

       -T     Use TCP SYN for probes

Actually the "LIST OF AVAILABLE METHODS" section is quite extensive.
Apparently people have been hacking
on traceroute while I wasn't watching.

Bill Bogstad

Re: Playing nice with incoming traceroutes

[Pascal Hambourg]

Hello,

Pieter Smit a écrit :
> You would send an ICMP time exceeded (type 11) packet if you receive a
> packet with a ttl=1 you will decrement it one realize it is 0 and send
> the ICMP time exceeded.

Only an intermediate router would do that, not the final destination.

Re: Playing nice with incoming traceroutes

[Curby]

On Fri, May 14, 2010 at 3:17 PM, Curby <curby@cur.by> wrote:
> Hello, I'm considering allowing inbound traceroutes to find me, in the
> interest of being a good Internet citizen.  I could simply open the

So I did some testing, and it seems that my Debian system really does
act as the traceroute program expects.  From the manpage talking about
the default UDP method: "Since the ports are expected to be unused,
the destination host normally returns "icmp unreach port" as a final
response."

Sniffing the ICMP traffic confirms the use of 3/3 "port unreachable" replies.

On Sat, May 15, 2010 at 10:51 AM, Pieter Smit <mlist2010@vigor.co.za> wrote:
> You would send an ICMP time exceeded (type 11) packet if you receive a
> packet with a ttl=1 you will decrement it one realize it is 0 and send
> the ICMP time exceeded.

Documentation suggests that well-behaved routers on the path to the
destination host are meant to respond with ICMP type 11, but it's
perfectly acceptable (and perhaps even expected) that the actual
destination host respond with a ICMP type 3 code 3 (port unreachable)
instead.

Re: multiple scan types, I'm just going to explicitly build in support
for UDP and ICMP scans.  I'm not going to explicitly deny SYNs sent to
all TCP ports. =)

--Mike

Re: Playing nice with incoming traceroutes

[Pascal Hambourg]

Curby a écrit :
> 
> it's perfectly acceptable (and perhaps even expected) that the actual
> destination host respond with a ICMP type 3 code 3 (port unreachable)
> instead.

It's just expected behaviour.