Tuesday, March 20, 2012

Reasons for Abnormal Traceroute Results

Results due to ICMP Filters

When performing a ICMP based traceroute, there are a few reasons for not receiving a reply. Packet loss on congested networks can explain away singular dropped replies. If all three probes for one or more links go missing, it's likely that a firewall is blocking ICMP or the routers are configured to not return an ICMP error. If however the traceroute ends with a successful reply after reporting multiple failed probes, then this is the result of a firewall configured to pass ping requests, and not traceroute.


Thursday, March 15, 2012

Reasons for Abnormal ICMP errors

[Orginially posted in the MD2600 newsletter. February 2001]

Continuing the reasons for abnormal packet series, we explore the presence of ICMP Host Unreachable" (Type 3 Code 3) packets. The normal reason for a host unreachable error to occur is that for some reason the host is not online. As stated in the last article. When a packet destined for a network reaches a router attached to the network, the router sends an arp request for the destination host. If the reply does not return, the router will generate an ICMP "Host Unreachable" error back to the sender. However, this is the textbook example on what generates the error.

Now we place a packet filtering firewall in our picture of the network. packet filters have a few things they can perform on a packet. Generally it is Pass, Deny, or Drop. If the filter rule has Pass selected, then the firewall will allow the packet to transverse. If the filter rule has Drop selected, then the packet will be destroyed and forgotten. However if Deny is the action of choice, the firewall will destroy the packet and return the wonderful ICMP "Host Unreachable" error.

Wednesday, March 14, 2012

Reasons for Abnormal Arp Requests

[Orginially posted in the MD2600 newsletter. February 2001]

Recently a friend of mine was sniffing his network an noticed a higher then normal level of arp requests. He was also startled that they all came from his router. The cause of this is quiet simple and also useful to spot in network security. For the answer we need to review arp.

Arp, address resolution protocol, works as a translator between IP (Internet Protocol) address and MAC (Machine Access Code) address. This is analogous to translating your street address to a zip+9 address, or phone number to the cable and pair number.

When HostA wants to send a packet to HostB. HostA first checks if HostB is on the same net as HostA. This involves sub-netting which is outside the scope of this paper. If both hosts are on the same network, HostA will send arp packet to the whole network requesting the MAC address of HostB. After the address is known HostA starts sending "data" packets. To aid in this process, hosts have an ARP table which caches mac/ip addresses for a period of time.