Traceroute and SecurityPlease read this if you think that someone on our network is trying to break into your network.
Hi there. You are probably looking at this page because you think that someone on one of our systems (typically 126.96.36.199 or 188.8.131.52, or viola.opus1.com or cello.opus1.com) is trying to break into your network.
Quick answer: they're not. Your intrusion detection system or logs have given you a false alarm.
Long answer: Opus One maintains a traceroute server. This is a system which is used by tens of thousands of people to look at the path from point A to point B across the Internet. In our case, point A is Opus One, a consultancy in Tucson, Arizona. You are probably point B.
Traceroute is a long-established tool which attempts to establish the path between two systems by sending out consecutive UDP packets with ever-increasing TTLs (time-to-live values). As each router processes any IP packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL exceeded" message (in a different IP protocol, called ICMP) to the originater. Traceroute uses outgoing UDP packets and returning ICMP messages to detect the routers which a packet passes through as it passes across the Internet.
The outgoing packets from traceroute are sent towards the destination using UDP and very high port numbers, typically in the range of 32,768 and higher. This is because no one runs UDP services up there, so when the packet finally reaches the destination, traceroute can tell that it got to the end (because the ICMP changes from "TTL exceeded" to "port unreachable").
Your intrusion detection system may have seen 3 or 30 packets addressed to high-numbered UDP ports (above 32,768) and called it a port scan. It's not. Your intrusion detection system (or you, if you're interepreting the logs manually) has set a false alarm. This is just someone tracerouting to you. You are not being port scanned. And no one is trying to break in to your network.
We get an email message (or sometimes a phone call) once a week from someone who is sure that we have a hacker trying to break in to their system. This long web page was written so that we can point them to a comprehensive answer which will settle their concerns. Following are some common questions we get asked regarding this traceroute server, and our answers.
I don't understand your explanation of how Traceroute works.
That's OK. It's not extremely complicated, but if you have never studied TCP/IP, it may not be obvious how it works. There is an outstanding explanation of Traceroute written by the (late, great) W. Richard Stevens in his TCP/IP Illustrated (volume 1). If you are serious about understanding TCP/IP, this is a book you need to buy. It beats that soft-cover "TCP/IP for complete stooges" books in that it is (a) accurate and (b) well written. I strongly recommend that you get a copy. Amazon.COM or Computer Literacy have it, of course, and possibly your local bookstore. (click here for a direct Amazon.COM link or here for a direct Computer Literacy link.
I see a lot more than 3 packets (standard traceroute); more like 100
Yes. Our traceroute is enhanced (that's why it's so useful) and people can ask for up to 99 packets to be sent to each hop. This is for making delay measurements and getting thruput numbers. The default is 3, but 99 packets are not going to hurt your network. In addition, if you have some sort of firewall (or if the traceroute destination is nonexistent), you may see multiple traceroute probes trying to hit the destination. We default to 3 packets each with 30 hops as a maximum, so up to 90 packets might show up. In an extreme case, you could see 900 packets. This, also, will not hurt your network.
Cool! How can I use this tool?
Simple enough: go to our traceroute web page at http://www.opus1.com/www/traceroute.html. You may also be interested in the folks at traceroute.org which keep a nice list of servers like ours. We find this an incredibly useful tool.
I don't like you doing this. You need to stop tracerouting to us.
If you don't like traceroute, you should disconnect from the Internet. We have no intention of maintaining a block list. However, you are welcome to block our entire AS (6373) from your network if you're that much of an idiot.
That's not traceroute. I know what traceroute is, and that's not traceroute you're doing. You're trying to break in. I demand you stop. I'm calling the cops.
Thank you for sharing.
No, really, someone on that system is trying to break in.
No, really, someone isn't. That system is part of an OpenVMS cluster, and no script kiddie is going to break in and set up shop on our systems. Most "crackers" don't even know what OpenVMS is. If you know what OpenVMS is, then you know why there's no one using our systems to break into yours. (If you don't know what OpenVMS is, then you're going to have to trust me on this one.) If someone did have a shell account, it wouldn't matter, because there is a serious dearth of cracker tools which operate on OpenVMS. The only people with privileged access are the partners in our consulting firm, and they don't have time or interest to break in to your network.
Can you tell me who is doing all this traceroute-ing to my servers?
You know, I don't like your attitude. You are awfully cocky and arrogant.
We waste a great deal of time dealing with people who cannot interpret their own firewall logs, or don't understand networking, or have bought a package written by a moron which is doing misinterpretation for them. All this is because we have a public traceroute server which we operate as a service to the community. Our natural desire to be compassionate, kind, and educate the entire Internet on security has been worn quite thin by righteous fools who write messages like this or this. Please accept the apologies of our entire firm, and feel free not to send us any more mail complaining about non-existent security problems any more.
© 1998, 2003 Opus One . Site by DesertNet Designs