Tracing behind the firewall [LWN.net]

January 10, 2007

This article was contributed by Jake Edge.

A new tool, 0trace, that can sometimes peek through a firewall and provide information about the hosts and addresses living behind it was recently released. The tool itself is in a rough, proof-of-concept form, but it can provide interesting results that are likely unexpected by the network administrator. A bit of a look at how 0trace accomplishes this feat requires a bit of firewall background as well.

Many firewalls use Network Address Translation (NAT) to multiplex multiple internal computers over one external, routable, IP address. When an internal host makes a connection to the outside world, the NAT device rewrites the addresses in the packets so that the external host believes it is talking to the firewall itself rather than the actual host (which is typically in the private, unroutable IP space). In order to do that, the NAT device records information about the connection: the IP addresses for the internal and external hosts as well as port information. It is this established connection table that 0trace exploits in order to do its work.

The basic scheme is much the same as traceroute in that 0trace sends packets with increasing time-to-live (TTL) values and listens to the ICMP "time exceeded" responses to determine the hosts that the packet has traversed. The difference is that 0trace uses an established connection to piggyback its probes on. Because many NAT implementations do not closely examine packets that are associated with an established connection, those responses, even from internal hosts, are forwarded along.

Users of traceroute are familiar with the '*' character that gets printed when there is no response from one of the hops; tracing a route these days typically ends in a series of hops without a response resulting in several rows of '* * *'. These are often systems that are behind firewalls which filter out the probe packets that traceroute sends because they are not associated with a connection that it knows about. The example in the announcement shows 0trace output from a scan of www.ebay.com with several internal IP addresses past the point where the traceroute output stops.

In order to run 0trace, one must first establish a connection with the host of interest. Using telnet to port 80 is one way to go about that; once the connection is established, the 0trace shell script is run. That script sets up a tcpdump to grab the traffic to and from the supplied IP address and then waits. The user must generate some traffic at this point and typing 'GET / HTTP/1.0' (followed by one return) is a good way to do that. 0trace analyzes the TCP packet dump to retrieve the sequence and ack numbers from the conversation; the shell script then passes those off to the 0trace C program (sendprobe). Using proper sequence/ack numbers from the established connection further disguises the 0trace traffic as a legitimate part of the conversation.

This technique is not new and the author, Michal Zalewski, credits a number of other people in the announcement and ensuing thread, but this is likely the first public implementation. The implementation is very dependent on the exact format of tcpdump output and is rather fragile because of that, but it is an interesting proof-of-concept. Zalewski invites interested people to improve upon it. Using it against hosts without their permission might be considered illegal in some jurisdictions; one should exercise care before using it. It does show a weakness in current NAT implementations that will likely need to be addressed.

(Log in to post comments)

Tracing behind the firewall

Posted Jan 11, 2007 11:44 UTC (Thu) by jannic (subscriber, #5821) [Link]

There is, however, a very simple defense against this attack: Just configure your firewall to drop (or or answer with TTL exceeded) any packet with a too low TTL field. The minimal TTL value allowed should be bigger than the largest number of hops behind the firewall. That way, it'll look like all hosts behind your NAT have the same number of hops, and you don't get any information about the individual steps from outside.

Something like "iptables -I FORWARD -m ttl --ttl-lt 4 -j DROP" should to the job. Unfortunately, there is no --reject-with icmp-ttl-exceeded, AFAIK.

Tracing behind the firewall

Posted Jan 11, 2007 15:45 UTC (Thu) by simonl (guest, #13603) [Link]

You could mangle the ttl down to 0 if it is <= 4, then you should get your ttl-exceeded response.

Tracing behind the firewall

Posted Jan 20, 2007 11:37 UTC (Sat) by jengelh (subscriber, #33263) [Link]

But -m ttl --ttl-lt 4 might match valid connections. What if, for whatever reason, it takes 61 routers to get through to www.ebay.com? Then this happens: your internal box sends TCP SYN with a hoplimit/ttl of 64, but the return TCP-ACK cannot pass your firewall because the return path already decreased the ttl too much. Boom, website hangs. It does not need the value pairs 61/64. Anything n-3/n does work, given that n is the default ttl for the OS or connection.

Tracing behind the firewall

Posted Jan 20, 2007 11:47 UTC (Sat) by jengelh (subscriber, #33263) [Link]

...and it's not uncommon for really strange things to happen on the Internet wrt. TTLs. Check this:

$ traceroute -n 82.83.11.215
traceroute to 82.83.11.215 (82.83.11.215), 30 hops max, 40 byte packets
 1  134.76.22.1
 2  134.76.23.254
 3  188.1.46.213
 4  188.1.18.62
 5  188.1.145.126
 6  188.1.56.22
 7  145.254.16.17
 8  145.254.18.62
 9  145.254.11.226
10  82.83.11.215

$ ping -c1 {all_addresses} | grep ttl
64 bytes from 134.76.22.1:    icmp_seq=1 ttl=126 time=1.31 ms
64 bytes from 134.76.23.254:  icmp_seq=1 ttl=254 time=1.58 ms
64 bytes from 188.1.46.213:   icmp_seq=1 ttl=253 time=2.12 ms
64 bytes from 188.1.18.62:    icmp_seq=1 ttl=252 time=3.70 ms
64 bytes from 188.1.145.126:  icmp_seq=1 ttl=251 time=17.4 ms
64 bytes from 188.1.56.22:    icmp_seq=1 ttl=250 time=16.4 ms
64 bytes from 145.254.16.17:  icmp_seq=1 ttl=249 time=16.6 ms
64 bytes from 145.254.18.62:  icmp_seq=1 ttl=248 time=21.4 ms
64 bytes from 145.254.11.226: icmp_seq=1 ttl=247 time=21.8 ms
64 bytes from 82.83.11.215:   icmp_seq=1 ttl=56 time=27.0 ms

So I would not be wondering if someone advertently decreased or increased the TTL, leading to either be inadvertently blocked by your iptables rule (because some router just decreased it), or inadvertently being not blocked by your rule (some router increased it), respectively. (The route from me->82.83.11.215 was stable (the same) on repeated traceroute runs.)

Tracing behind the firewall

Posted Jan 12, 2007 23:27 UTC (Fri) by rise (guest, #5045) [Link]

As Zalewski acknowledges in the full-disclosure thread, 0trace is very similar to Dan Kaminski's paratrace (parasitic traceroute) from a few years ago. The primary difference seems to be that it's sacrificing the original connection for a better success rate. I suspect that this is a tradeoff based on when the tools were written, paratrace always worked very well for me. In fact it's very unfortunate that the paketto keiretsu suite doesn't compile on anything modern, there are some great tools for any admin in there. The scanrand stateless port and address scanner makes enumerating all the hosts in a large block and verifying they're not running anything they shouldn't be much faster than using traditional port scanners.

All in all, 0trace still looks like a very useful tool on rare occasions.