Junos OS

Expand all | Collapse all

How to hide IP in Traceroute

  • 1.  How to hide IP in Traceroute

     
    Posted 05-29-2018 01:10

    Hi,

     

    I have searched for an answer to this question, but coming up short....

     

    When a Traceroute is completed from a CPE to an internet address, say google DNS, our internal network network addresses appear as Hops, making our internal address range viewable to external sources. How can I make it, that when a traceroute is completed, our internal addresses appear as "* * *"....

     

    Thanks



  • 2.  RE: How to hide IP in Traceroute

    Posted 05-29-2018 01:26

    Hello,

    Is Your traffic routed in global routing table?

    If yes there is no single command line that achieves what You want.

    You need a proper loopback filter to drop all TCP/UDP high ports (1024-65535) from untrusted src IP [tcptraceroute + UDP traceroute] plus drop all ICMP Echo Request from untrusted src IP with TTL==1 [Windows tracert].

    If not (meaning Your traffic is inside MPLS L3VPN/VRF) then have a look at 

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-decrement-ttl-edit-protocols-mpls.html

    HTH

    Thx

    Alex

     



  • 3.  RE: How to hide IP in Traceroute

    Posted 05-29-2018 01:31
    Have you configured icmp-tunneling under protocol mpls?

    Delete icmp-tunneling knob and check


  • 4.  RE: How to hide IP in Traceroute

     
    Posted 05-29-2018 02:12

    Hi aarsinev and Kingsman,

     

    Currently don't have access to the VPN as we are using a default license (Only 2 clients allowed at any time).... But, having completed some tests to other systems via upstream ISPs, it looks like they allow echo replies anyway. Maybe this is a default for an "internal Network".

     

    My definition of "internal Network" is NOT the actual IP Range used in the data networks but the addressing on the routers within the ISP network.....

     

    I will still give your options a go when I can get onto the VPN and will report back. 

     

    Thank you.



  • 5.  RE: How to hide IP in Traceroute

     
    Posted 05-29-2018 06:51

    I have created a firewall filter that discards or stops echo-replies under icmp-type.

     

    Tested from external, after applying the firewall filter to the required interface and it seemed to work. To ensure this works as expected, I need to get the circuit owner to test from the CPE end. As soon as this is completed I will be able to let you know if it was fully successful or not.... Here is the config applied:

     

    set firewall family inet filter filter-tracert term 1 from source-address 0.0.0.0/0

    set firewall family inet filter filter-tracert term 1 from destination-address (Internal subnet)

    set firewall family inet filter filter-tracert term 1 from protocol icmp

    set firewall family inet filter filter-tracert term 1 from icmp-type echo-reply

    set firewall family inet filter filter-tracert term 1 then discard

    set firewall family inet filter filter-tracert term 2 then accept

    set interface ae1 unit 0 family inet filter input filter-tracert

     

    If you see any issues with this then please let me know: