Section 20.7 Using traceroute

   


20.7 Using traceroute

The traceroute program is very useful for determining the route to a node, such as your cracker's. This is useful if it is not obvious what route was used to get to you. It is possible, though unlikely, that the route to your system is different from the route in the opposite direction. By analyzing the few nodes nearest to your cracker's, you can determine what company, ISP (Internet Service Provider), or agency is being used to connect her to the Internet. By nearest, we mean the one just before it on the traceroute results, the one just before that one, etc. The interpretation of these timings was discussed in "Using ping" on page 712.

The names of intermediate routers often tell their geographic locations. Commonly a router's name will contain its city or the three-letter identifier of the nearest large airport. These identifiers can be decoded at

www.cavu.com/sunset.html


These entities are the ones you will want to contact first to try to shut down the cracker. Realize that some of these systems might be compromised and some even might be under the authority of the cracker. You will want to use the techniques discussed earlier in this section to get phone contacts for these upstream systems. The traceroute program has an advantage over ping in that many sites now block ping requests because it can be used for DoS and other attacks. Traceroute packets (usually UDP packets on high port numbers) rarely are blocked.

The traceroute program has a variety of flags that can be useful, particularly with misconfigured systems. Usually, only the destination system's host name or numeric IP address is supplied as an argument. It then lists the data for each "hop," including the hop number, host name and IP, and the minimum, average, and maximum transit times. The data for each hop is generated when that host responds to a packet that has exceeded its Time To Live (TTL) with an ICMP TIME_EXCEEDED error. Some systems do not generate this message to avoid spending the bandwidth, for confidentiality, or just because they do not have to.


   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net