Community discussions

MikroTik App
 
shielder
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Wed Feb 09, 2005 7:09 pm
Location: Indonesia

How to block traceroute and allow ping?

Sat Apr 22, 2006 9:16 am

Hi, i wish to block traceroute on my network but still allowing ping. I have searched on google and found ICMP type 30 as traceroute, but when i tried to set it on ICMP options found in firewall, there'e no type 30, just end up on type 18. So is there anyway to block traceroute just as i wanted? Thank you
 
savage
Forum Guru
Forum Guru
Posts: 1262
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Sat Apr 22, 2006 12:06 pm

Hmm, I never heard of ICMP Type 30 before, I must admit.

Valid types include:
             echo reply (0), destination unreachable (3), source quench (4),
             redirect (5), echo request (8), router advertisement (9), router
             solicitation (10), time-to-live exceeded (11), IP header bad
             (12), timestamp request (13), timestamp reply (14), information
             request (15), information reply (16), address mask request (17)
             and address mask reply (18).
For ping, only ICMP 0 and ICMP 8 are required - strictly speaking. You can block most of the others without *too* much problems. I may stand corrected, but I believe traceroute uses ICMP 11.

Blocking traceroute on ICMP alone won't help you though. Traceroute can also be used with UDP, and you can also do a traceroute on any TCP/IP Port you tell it to use...

A TCP traceroute on port 80:
traceroute: Warning: www.microsoft.com has multiple addresses; using 207.46.225.60
traceroute to lb1.www.ms.akadns.net (207.46.225.60), 64 hops max, 52 byte packets
 1  198.18.0.35  1.253 ms  1.568 ms  0.911 ms
 2  198.18.0.4  1.490 ms  2.120 ms  1.206 ms
 3  * * *
^C
Man page:
       The  Internet  is  a large and complex aggregation of network hardware,
       connected together by gateways.  Tracking the route one's packets  fol-
       low  (or  finding the miscreant gateway that's discarding your packets)
       can be difficult.  Traceroute utilizes the IP protocol `time  to  live'
       field  and  attempts to elicit an ICMP TIME_EXCEEDED response from each
       gateway along the path to some host.

<SNIP><SNIP>

       -P     Send packets of specified IP protocol. The  currently  supported
              protocols  are: UDP, TCP, GRE and ICMP. Other protocols may also
              be specified (either by name or by  number),  though  traceroute
              does  not  implement  any special knowledge of their packet for-
              mats. This option is useful for determining which router along a
              path  may  be  blocking packets based on IP protocol number. But
              see BUGS below.

       -p     Protocol specific. For UDP and TCP, sets the  base  port  number
              used  in probes (default is 33434).  Traceroute hopes that noth-
              ing is listening on UDP ports base to base + nhops * nprobes - 1
              at  the  destination  host  (so an ICMP PORT_UNREACHABLE message
              will be returned to terminate the route tracing).  If  something
              is  listening on a port in the default range, this option can be
              used to pick an unused port range.
 
ezanolin
just joined
Posts: 23
Joined: Sat Feb 25, 2006 2:15 pm

Sun Apr 23, 2006 4:20 pm

No matter if you use TCP UDP or ICMP the method of doing a traceroute is the same. a packet is sent out winth an increasing IP TTL(Time To Live) vlaue. every time the packet passes a router the router decreases the ttl. If the TTL reaches zero the router should respond to the source of the packet with an ICMP unreachable message. This is in place to prevent routing loops from bringing your routers to a standstill.

The otehr use for this is to cleverly find the packet route by adjusting the TTL to 1 fo rthe first packet then 2 then 3 then so on.

What you need to be blocking is the ICMP response type 11. If you create a new firewall rule you need to choose type ICMP in the [General] tab and then in the [Advanced] tab expand the ICMP options panel down and select ICMP type 11 (time exceeded).

The tricky thing is that you have to block this packet in the Output chain, which means you have to go back to the [General] tab and select Output from the chain list.

This is because the packets are generated by the router and will leve the output chain and not traverse the forward chain. If you want to block traceroute responses from other routers you can block on the forward chain but be wary that that will not block responses generated by the router itself, only responses passing back through it.

Hope this helps to clarify things a bit.
Cheers.
 
shielder
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Wed Feb 09, 2005 7:09 pm
Location: Indonesia

Tue Apr 25, 2006 7:54 am

Hi, thank you for all your reply, i have tried it. If i use ICMP options type 11, the traceroute and ping still going through my router, but if i disable the ICMP options and block all the ICMP packet. no more ping or traceroute would go through my router. I think is the type problem.

ICMP type 30 is what i search on the google. sorry if i am wrong.
 
ezanolin
just joined
Posts: 23
Joined: Sat Feb 25, 2006 2:15 pm

Wed Apr 26, 2006 2:40 am

Type 30 is the ICMP type that gets transmitted from the traceroute client.
Type 11 is what the router responds to the client with.
 
ceacu
just joined
Posts: 8
Joined: Tue Nov 08, 2005 12:22 am

Sat May 06, 2006 2:01 am

An even more elegant solution: change the TTL to a constant value.
 
User avatar
moazdabsheh
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon Mar 24, 2014 3:10 am
Location: Palestine

Re:

Sun Apr 06, 2014 9:43 pm

An even more elegant solution: change the TTL to a constant value.
please guide me how to do that.
 
panikosagros
just joined
Posts: 1
Joined: Tue Jun 01, 2021 7:00 pm

Re: How to block traceroute and allow ping?

Tue Jun 01, 2021 7:10 pm

You can configure the below (tested and working)

/ip firewall filter
add action=drop chain=output comment="DROP_TRACEROUTE_REPLY 11:0" icmp-options=11:0 protocol=icmp src-address-list=IP_LIST
add action=drop chain=output comment="DROP_TRACEROUTE_REPLY 3:1" icmp-options=3:1 protocol=icmp src-address-list=IP_LIST

Where "IP_LIST" is the public or private IPs on your router that you do not wish the router to reply with.

Note :
11:0 is used when the router replies if the packet TTL has reach to 0
3:0 is used for when a router replies with a message that the destination is unreachable (even when the TTL is still more than 1)

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot] and 83 guests