Firewalls: Re: Questions about ICMP

Firewalls
(April 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Questions about ICMP
From:	Jean-Christophe Touvet <jct @ EdelWeb . fr>
Date:	Wed, 08 Apr 1998 13:33:52 +0200
To:	rdew @ el . nec . com (Bob De Witt)
Cc:	firewalls @ greatcircle . com, rramirez @ encomix . es, Rick_McMaster @ freddiemac . com
In-reply-to:	<199804080028 . RAA21081 @ yginsburg . el . nec . com>

> Maybe I'm just stupid today, but isn't traceroute just a series of ICMP
> packets
> with a specific Time-To-Live set in stages?

 Actually, there are two main flavors of traceroute:

1. UNIX (Van Jacobson's): high-numbered UDP ports incoming (usually UDP ports
33434 + 3*TTL), ICMP_TIMXCEED or ICMP_UNREACH_PORT outgoing

2. Windows: ICMP_ECHO incoming, ICMP_TIMXCEED or ICMP_ECHOREPLY outgoing

 Any IP protocol could be used. Incidentally, we have developed a TCP variant
which works very well.

> And if ICMP packets are allowed,
> how do you block the "traceroute" program?

 You can't.

    -JCT-

References:

RE: Questions about ICMP
From: rdew @ el . nec . com (Bob De Witt)

Indexed By Date	Previous:	Re: fw-1 stateful inspection vulnerabilities From: Bennett Todd <bet @ rahul . net>
Indexed By Date	Next:	RE: Questions about ICMP From: Nuno Guarda <nuno . guarda @ lr . isla . pt>
Indexed By Thread	Previous:	Re: Questions about ICMP From: "Gregory D. Otto" <gdo @ newf . com>
Indexed By Thread	Next:	RE: Questions about ICMP From: Nuno Guarda <nuno . guarda @ lr . isla . pt>