Traceroute uses either ICMP (windows) or UDP (Unix and Unix-like). In order to block inbound traceroute you need to block:
icmp echo-request (blocks ping and windows traceroute) UDP with ports > 30000 (should block most Unix traceroutes) The problem from a filtering perspective is that although Unix traceroute usually picks a port in the 30,000 range, some versions are configurable to pick a different port. So, someone could, for example, pick port 53, and it would get through your filter. One way around this is to just block all UDP except that which you absolutely need. (this is called a 'default deny' stance) Most sites only need DNS for UDP traffic. Given this, all you need is to allow UDP src port 53 to any UDP port >1023 to your internal network from your external DNS servers. Block all other UDP traffic and you block all Unix traceroute activity. If your only protection from the Internet is a filtering router, you really should be using a default deny filter and only allowing traffic you know is legitimate. These links can help: http://www.cisco.com/warp/public/707/21.html http://www.phrack.org/show.php?p=55&a=10 You may also want to investigate using Context Basec Access Control (CBAC) for stateful filtering capability on your router: http://www.cisco.com/warp/public/110/36.html HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sgp YH Sent: Tuesday, December 04, 2001 12:57 AM To: [EMAIL PROTECTED] Subject: Deny trace route using ACL on Cisco router [7:28047] Hi guys/gals Can someone share with me the experience in configuring ACL to deny trace route from the Internet to the internal network. I am wondering what ports to deny as it keeps changing. Cheers __________________________________________________ Do You Yahoo!? Buy the perfect holiday gifts at Yahoo! Shopping. http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28064&t=28047 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
