|
|
Traceroute - A slick hack for intermediate
router and path discovery.
Traceroute is a utility to track the path/route that packets take to a specified destination.
No system knows the full path to its destination beforehand.
It merely knows the path to its next hop or router and traceroute is a hack that uses this
property of the Internet Protocol to determine routers in its path.
TTL is a field in the header of every IP packet. When a packet is created by the host OS,
it is typically assigned a TTL of 16, 30 or 255. Every router the packet passes along its
journey to its destination decrements this value by 1. If the TTL field is reduced to 0,
the router assumes the packet is in some sort of loop and it is encapsulated in an
ICMP TTL exceeded message and sent back to the source address.
A specially constructed packet, usually ICMP echo or UDP is sent with a remote destination
address and a randomly selected port number that is also typically incremented with each
traceroute packet. UNIX/Linux uses UDP while Microsoft Windows tracert uses ICMP.
The TTL (Time To Live) field is very low on these packets; it starts at 1.
This causes the packets to be rejected by routers as if they were looping.
These rejections (ICMP TTL exceeded) messages help traceroute determine the
intermediate routers.
So the first router than comes across traceroute's special packet with a TTL of 1 will
decrement it. Now the TTL is 0 and the router assumes the packet is in a loop and returns
it with an ICMP TTL exceeded message telling traceroute the IP address of the first router.
Traceroute now sends another packet with a TTL of 2. This packet makes it to the second
router on the way before its TTL is decremented to 0 and traceroute deduces that the
second TTL exceeded message is from the second router on the path to the destination.
Traceroute now crafts packets with a TTL of 3 and 4 and so on to determine the path
to the destination.
Traceroute knows the path discovery is complete when it receives an ICMP echo reply
or an ICMP destination unreachable message from the router. It will also display
relevant ICMP host unreachable, network unreachable and any other ICMP messages
received from the routers.
Traceroute is designed to determine the network addresses that packets go through.
Using it with NAT can create confusion. Running traceroute from a translated address
should not cause an issue, but running traceroute to a translated address may cause
unpredictable mapping or fail.
If traceroute's packets can't reach the destination host or can't elicit a response
from it; it will time out.
Another non UDP/ICMP traceroute implementation is the utility tcptraceroute which can be
used through restrictive firewalls that block UDP/ICMP. It crafts TCP packets with the
SYN flag set and awaits a SYN/ACK. When a SYN/ACK is received, it indicates something
is listening on this port for connections. Point it at ports which are typically open
like HTTP or SMTP. When it receives a response, tcptraceroute sends a packet with an
RST flag to close the connection.
This allows to probe for hosts behind a firewall that would drop UDP packets.
This is exactly why ICMP TTL exceeded messages should not be allowed to leave a LAN
segment behind a router for the Internet.
Additional reading:
Firewalk whitepaper
|
![[Strykar's lair logo]](/strykar/images/logo.png){kind=logo}
![[Tor - Anonymity Network]](/strykar/images/tor.png)
![[Slackware Linux]](/strykar/images/slackware.jpg)
![[OpenBSD journal]](/strykar/images/undeadly.jpg)
![[OpenBSD]](/strykar/images/openbsd_girl1.png)
![[Blue Ribbon Campaign]](/strykar/images/blueribbon.gif)
![[powered by Slackware linux]](/strykar/images/pwrdapacheSW.gif)
![[made in Textpad]](/strykar/images/msexpression.jpg)
![[valid HTML 4.01]](/strykar/images/valid-xhtml10-blue.png)