[Snort-sigs] SID 456, 20 of 20

Steven Alexander alexander.s at ...1565...
Mon Jun 9 09:50:45 EDT 2003

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute";
itype: 30; icode: 0; sid:456; classtype:misc-activity; rev:4;)  



traceroute is a standard networking utility that determines the routers
that data will travel through enroute to a destination. This rule
indicates that a traceroute is being performed against one of the hosts
on your network..


Can be used as a reconnaissance tool.  Traceroute reveals information
about the layout of a network.

Detailed Information:

Traceroute works by sending an ICMP Echo Request packet to a destination
host with a TTL value of 1.  If the host is more than one hop away, the
first route that receives the back will send back an ICMP packet
indicating that the TTL was exceeded.  The address of this router is
then listed as the first hop.  The packet is then sent out again with a
TTL of 2.  This continues until the destination host is able to reply or
some maximum TTL value is reached.  Unix implementations generally use
UDP packets sent to an ephemeral port rather than an ICMP Echo Request.
The TTL on the packet is decreased by 1 as it passes each router and
should have a TTL of 1 when it reaches the destination network.

Affected Systems:

Attack Scenarios:

Traceroute is often used against machines on a network prior to an

Ease of Attack:
Very Simple

False Positives:
This program is also used legitimately by users and/or network
administrators to troubleshoot problems.  

False Negatives:

None known.
Corrective Action:

ICMP packets can be blocked with a firewall.

Documentation - Steven Alexander<alexander.s at ...1565...>
Additional References:

More information about the Snort-sigs mailing list