Shulou(Shulou.com)06/01 Report--

Principle

The program uses to increase the survival time (TTL) value to achieve its function. Every time a packet passes through a router, its survival time is reduced by 1. When its survival time is 0, the host cancels the packet and sends an ICMP TTL packet to the sender of the original packet.

The first three packets sent by the program have a TTL value of 1, the next three are 2, and so on, it gets a series of packet paths. Note that IP does not guarantee that every packet takes the same path.

Realize

The caller first sends out the UDP packet of TTL=1. After the first router subtracts the TTL from 1 to 0, it does not continue to forward the packet, but returns an ICMP timeout message. The caller can extract the first gateway address of the packet from the timeout message. Then send out a UDP packet of TTL=2 to get a second gateway address, and then increment TTL to get all the gateway addresses along the way.

It is important to note that not all gateways truthfully return ICMP timeout messages. For security reasons, most fireproof routers and fireproof-enabled routers are configured by default not to return all kinds of ICMP packets, and the rest of the routers or switches can also be actively modified by the administrator to not return ICMP packets. Therefore, the Traceroute program may not be able to get all the gateway addresses along the way. Therefore, when a packet with a TTL value does not respond, the tracking process cannot be stopped, and the program will still increment the TTL to send the next packet. Do not trace until you reach the default or the tracking limit specified by the parameter (maximum_hops).

According to the above principle, when the Traceroute program using the UDP packet arrives at the real destination host, it may simply discard the packet and return no information because the host does not provide UDP service. In order to solve this problem, the programmer uses a technique. Because the UDP protocol stipulates that the port number must be less than 30000, he deliberately violates the protocol and sets a port number greater than 30000, so the only thing the target host can do after receiving the packet is to return a "port unreachable" ICMP message, so the caller uses the port unreachable message as a sign of tracking exit.

Hide subsequent 4-hop routes

Iptables-t mangle-A PREROUTING-m ttl--ttl-gt 1-j TTL-- ttl-inc 4

Grab the data packet on the PREROUTING chain and add the TTL to 4 as long as the TTL is greater than 1.

Verify the configuration

Iptables-t mangle-nvL

Chain PREROUTING (policy ACCEPT 684G packets, 41T bytes)

Pkts bytes target prot opt in out source destination

684G 41T TTL all-- * * 0.0.0.0 TTL match TTL 0 0.0.0.0 TTL match TTL > 1 TTL increment by 4

Ttl (match TTL value)

This module matches the time to live field in the IP header.

-- ttl-eq ttl

Matches the given TTL value.

-- ttl-gt ttl

Matches if TTL is greater than the given TTL value.

-- ttl-lt ttl

Matches if TTL is less than the given TTL value.

TTL (change TTL value)

This is used to modify the IPv4 TTL header field. The TTL field determines how many hops (routers) a packet can traverse

Until it's time to live is exceeded.

Setting or incrementing the TTL field can potentially be very dangerous, so it should be avoided at any cost.

Don't ever set or increment the value on packets that leave your local network! Mangle table.

-- ttl-set value

Set the TTL value to 'value'.

-- ttl-dec value

Decrement the TTL value' value' times.

-- ttl-inc value

Increment the TTL value' value' times.

Disable tracert on PC

Iptables-A FORWARD-p icmp-m length-- length 92-j DROP

Length

This module matches the length of the layer-3 payload (e.g. Layer-4)

Packet) of a packet against a specific value or range of values.

[!]-- length length [: length]

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.