Traceroute
advICE :Intrusions : 2000101

Summary

Somebody is mapping the route through the Internet between their machine and your machine.

Details

The traceroute utility is widely used on the Internet in order to find the route between two machines. Imagine calling somebody on a phone and being able to look on a map to see a drawing of the exact route your phone call takes. The traceroute program performs this task, except it shows a "virtual" route through the Internet.

A traceroute isn't very dangerous. There is no way to break into your machine using this feature. However, it does help a hacker map out your Internet connection. This information could possibly be used to compromise some other part of your connection. For example, in the past, this type of information was used by hackers in order to kick their victims off the Internet by forcing the the nearest router to hang up the phone line.

For more details, see the section on traceroute.

False Positives

Some customers are receiving reports of their own machines sending out traceroutes. The product flags traceroutes because they are not normal traffic. However, some products (such as those listed below) may do traceroutes as part of their operation:

• VisualRoute
• Net.Medic

If you are running these products, then this isn't something to worry about.

Defense

The traceroute program pings each of the routers before it reaches your machine. Therefore, using firewall rules to block the traceroute only blocks the tail end of it -- you cannot stop someone from finding most of the route to your system.

parametric information count The number of frames seen with a TTL of 1.

configuration for this item traceroute.count 3 The number of frames to trigger this intrusion detection. traceroute.interval 10 The time interval (in seconds) over which the frames with TTL=1 are measured.

 
Version appeared: