Great Circle Associates Firewalls
(April 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: Questions about ICMP
From: Christopher Zarcone <czarcone @ vf . lmco . com>
Date: Wed, 08 Apr 1998 09:19:53 -0400 (EDT)
To: firewalls @ greatcircle . com
Reply-to: Christopher Zarcone <czarcone @ vf . lmco . com>

traceroute works by sending *UDP* packets with short TTLs. The packets are sent 
to a random high-numbered port on the target host.

ICMP is used for the reply messages, of which there are two:

- Time exceeded (sent by a router when the packet's TTL expires)
- Unreachable port (sent by the target host, because there is no service 
listening on random high-numbered port, well at least you hope there isn't :)


Christopher Zarcone - Data Communications Design Analyst
Lockheed Martin Enterprise Information Systems
czarcone @
 vf .
 lmco .
 com  *  Chris .
 Zarcone @
 lmco .
 com  *  czarcone @
 acm .
       My opinions do not necessarily reflect those of my employer.


>Maybe I'm just stupid today, but isn't traceroute just a series of ICMP packets
>with a specific Time-To-Live set in stages?  And if ICMP packets are allowed, 
>how do you block the "traceroute" program?

Indexed By Date Previous: RE: socks versus fw-1 stateful inspection vulnerabilities
From: Jeff Kalwerisky <jeffk @ secure-it . net>
Next: Ascend Pipline 25
From: Michael Simonyi <msimonyi @ woodbridge . com>
Indexed By Thread Previous: RE: Questions about ICMP
From: Mike Batchelor <mbatchelor @ citysearch . com>
Next: RE: Questions about ICMP
From: Mike Hedlund <mike @ isi . net>

Search Internet Search