Sunday, September 13, 2015

Advanced Traceroute: Firewalk

The module for class this week describes using IP packet time to live, TTL, values to map out a route across the network that you are sending data to reach your destination. Modern operating systems come default with tools do perform this sort of diagnostic, with Windows utilizing ICMP Echo Request packets while UNIX and Linux using high port UDP. (UMUC, 2012)

Sending a packet with a TTL of one to have the first hop in the route respond with an ICMP error of type 11, Time Exceeded, and code 0, time to live exceeded in transit. (Postel, 1981) Next, send successively higher TTL values until the destination responds. By recording the sender information from the ICMP error messages, you make a list of nodes where the sender for TTL N is N hops away. As long as network gateways allow in your tracer packets and allow out the ICMP errors, that is.

Firewall devices may drop tracer packets because they only allow specific traffic services through. An advanced traceroute technique accounts for this and uses the firewall distance plus one TTL to map the allowed services on that firewall, a technique known as firewalking. (Irby, 2000) It works because the traceroute operates at the IP level and therefore leaves the encapsulated protocol up for spoofing. TCP, UDP, ICMP or any transport layer protocol can be tested. If a Windows traceroute times out at a hop but a UDP port 53, DNS, gets responded to then that device is dropping ICMP Echo Requests but allows DNS traffic. (Irby, 2000)

Irby, D. (2000). Firewalk: Can Attackers See Through Your Firewall. SANS

Postel, J. (1981). RFC 792: Internet control message protocol. InterNet Network Working Group.

UMUC. (2012) Advanced TCP/IP, CSEC-640 – Module 1. Retrieved from:

No comments:

Post a Comment