|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: alexus (ml
db.nexgen.com)Date: Tue Jun 26 2001 - 14:30:28 CDT
someone else using ttl=1? that's sux.. oh well i guess its imposible to
disable it.. cuz i dont want to block something that should work..
thanks everyone
----- Original Message -----
From: "Peter Pentchev" <roamorbitel.bg>
To: "alexus" <mldb.nexgen.com>
Cc: "Simon Rakovec" <simoninforta.com>; <freebsd-securityfreebsd.org>
Sent: Tuesday, June 26, 2001 1:58 AM
Subject: Re: disable traceroute to my host
> On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote:
> > i agree this is not a solution.. looks like tty=1 is best solution so
far
>
> TTL=1 is not a general solution, because it only blocks traceroutes to
this
> particular host, not to any machines that it is acting as a gateway for.
>
> Moreover, TTL=1 is not a real-world solution, because some *legitimate*
> packets might arrive with TTL=1 (yes, there are some OS's that set too
> low TTL's on outgoing packets, and there are some global backbone ISP's
> which have a *lot* of routers, so it is possible that a normal packet
> destined for your host should reach you with TTL=1).
>
> And just btw.. Really, why do you want to block traceroutes?
>
> G'luck,
> Peter
>
> --
> because I didn't think of a good beginning of it.
>
> > ----- Original Message -----
> > From: "Peter Pentchev" <roamorbitel.bg>
> > To: "Simon Rakovec" <simoninforta.com>
> > Cc: <freebsd-securityfreebsd.org>
> > Sent: Monday, June 25, 2001 2:37 AM
> > Subject: Re: disable traceroute to my host
> >
> >
> > > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote:
> > > > Try this:
> > > >
> > > > ipfw add deny udp from any 32769-65535 to <your-host> 33434-33523
> > >
> > > As Karsten noted in a followup, this is not proper network practice.
> > > There might be a LOT of things listening on those UDP ports, including
> > > ephemeral outgoing UDP connections.
> > >
> > > As many other people noted, this does not stop Windows traceroute,
> > > which goes via ICMP.
> > >
> > > As the traceroute(8) manpage notes, this does not stop people who
> > > know how to use the traceroute '-p port' option to select a starting
> > > port != 32768.
> > >
> > > As Dag-Erling Smoerdgrav noted, in general it is impossible to disable
> > > a person determined to traceroute you, and in practice, there is
> > > no need to.
> > >
> > > G'luck,
> > > Peter
> > >
> > > PS. How was that now... one source: plagiarism, two sources:
comparative
> > > study, three sources: an academic thesis.. I did even better than
that!
> > ;)
> > >
> > > --
> > > Thit sentence is not self-referential because "thit" is not a word.
> > >
> > > > alexus wrote:
> > > > >
> > > > > is it possible to disable using ipfw so people won't be able to
> > traceroute
> > > > > me?
>
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]