Okay, if people are trace routing to this guy's network, then they're accessing it either via a public IP or a public DNS name that resolves to a public IP that may or may not translate to a different internal address via NAT, etc. If he disallows outgoing ICMP reply packets at his edge routers, his traces will look like the first one below. If he doesn't, his trace may look like the second one, or it may look slightly different if he's NATting (note that a few packets were snipped off the beginning of each trace; it's not an error). Regardless, packets 16-30 in the first trace are what would result if he disabled outgoing ICMP replies.
C:\>tracert www.microsoft.com Tracing route to www.microsoft.akadns.net [207.46.230.220] over a maximum of 30 hops: 4 130 ms 160 ms 141 ms wdc-core-01.inet.qwest.net [205.171.24.81] 5 140 ms 141 ms 150 ms dca-core-02.inet.qwest.net [205.171.8.209] 6 150 ms 151 ms 140 ms dca-core-03.inet.qwest.net [205.171.9.50] 7 181 ms 180 ms 180 ms chi-core-03.inet.qwest.net [205.171.8.162] 8 170 ms 180 ms 180 ms chi-edge-08.inet.qwest.net [205.171.20.118] 9 160 ms 180 ms 161 ms 66.62.192.1 10 261 ms 210 ms 210 ms min-core-02.tamerica.net [205.171.4.201] 11 220 ms 230 ms 231 ms sea-core-03.tamerica.net [205.171.8.113] 12 210 ms 221 ms 210 ms sea-edge-08.inet.qwest.net [205.171.26.74] 13 220 ms 230 ms 230 ms 65.116.65.226 14 221 ms 220 ms 210 ms 207.46.154.29 15 231 ms 220 ms 220 ms 207.46.155.13 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 * * * Request timed out. 24 * * * Request timed out. 25 * * * Request timed out. 26 * * * Request timed out. 27 * * * Request timed out. 28 * * * Request timed out. 29 * * * Request timed out. 30 * * * Request timed out. Trace complete. C:\>tracert www.novell.com Tracing route to www.novell.com [192.233.80.5] over a maximum of 30 hops: 4 150 ms 150 ms 140 ms wdc-core-01.inet.qwest.net [205.171.24.81] 5 150 ms 140 ms 150 ms dca-core-02.inet.qwest.net [205.171.8.209] 6 151 ms 140 ms 150 ms dca-brdr-02.inet.qwest.net [205.171.9.58] 7 150 ms 140 ms 150 ms 205.171.1.138 8 150 ms 141 ms 160 ms gbr4-p50.wswdc.ip.att.net [12.123.9.54] 9 161 ms 170 ms 170 ms gbr4-p10.attga.ip.att.net [12.122.2.161] 10 190 ms 190 ms 200 ms gbr3-p10.dlstx.ip.att.net [12.122.3.37] 11 190 ms 190 ms 181 ms gbr4-p60.dlstx.ip.att.net [12.122.1.138] 12 220 ms 221 ms 230 ms gbr4-p50.dvmco.ip.att.net [12.122.2.102] 13 230 ms 220 ms 220 ms gbr1-p20.dvmco.ip.att.net [12.122.5.22] 14 220 ms 231 ms 220 ms gbr3-p70.dvmco.ip.att.net [12.122.5.17] 15 231 ms 230 ms 240 ms gar1-p360.slkut.ip.att.net [12.122.2.237] 16 240 ms 240 ms 241 ms 12.127.106.34 17 230 ms 230 ms 230 ms 192.94.118.223 18 220 ms 220 ms 221 ms wwwsvc1.provo.novell.com [192.233.80.5] Trace complete. Laura ----- Original Message ----- From: "Network Operations" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, March 06, 2002 2:38 PM Subject: Re: How to hide IP's in Trace The problem with that however is that disabling ICMP echo-replies does not hide the IP addresses in traceroute you simply get a "no response" message back. You still get a complete map of the network path, only without hostnames. Whaddaya think? Marc >>> "Laura A. Robinson" <[EMAIL PROTECTED]> 03/06/02 11:29AM >>> NAT is designed for more than just obscuring IPs, and if IPSec is in use in this environment, it will negate the ability to use IPSec in transport mode. Without knowing why the OP isn't using NAT, it may not be feasible for his environment. Disallowing ICMP reply packets would achieve the requested result without requiring significant modification. Just my two cents. Laura ----- Original Message ----- From: "Network Operations" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, March 06, 2002 2:21 PM Subject: Re: How to hide IP's in Trace That is exactly what NAT is designed to do. Here are a few links that will steer you in the right direction. good luck! http://www.cisco.com/warp/public/556/12.html http://www.cisco.com/warp/public/707/21.html >>> "Amarnath Gutta" <[EMAIL PROTECTED]> 03/06/02 10:55AM >>> Hi All, I have Private IP's address in my network which I want to conceal in traceroutes. Say a customer traces to any IP on internet he is able to map my private network also which I want to prevent. So how can I hide the private ip's in the traceroutes. I use cisco routers. Any suggestions are welcome. Regards Amar _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
