Did someone reload the internet from floppy last night?

bscott at ntisys.com bscott at ntisys.com
Tue Feb 3 21:41:13 EST 2004 

On Tue, 3 Feb 2004, at 11:23am, steveo at syslang.net wrote:
> When others were getting connection refused, they were not even getting to
> my computer. It was not my server or firewall. The question is this: Is
> there a traceroute command that will tell me *where* along the way that
> the connection *was* getting refused.

  That depends.  The originating system is obviously receiving some kind of
notification.  (If the router that was filtering was just dropping the
packets silently, you would get a "Connection timed out" or similar error.)

  The proper way for a router to notify about a packet being filtered is to
send an ICMP "Destination Unreachable" message with one of the
"Administratively Prohibited" response codes (code 9, 10, or 13; see
RFC-1812 Section 5.2.7.1 for details).  If the filtering router is doing
that, the source address of the ICMP datagram will indicate where the
filtering is occurring.  "tcpdump" will show you that.

  Actually, even if the router is sending an ICMP "Destination Unreachable"
with a non-standard response code for this situation (like "Port
Unreachable"), the above should work.

  As Kevin D. Clark has been implying, tcpdump is your friend.

  However, there is nothing keeping the router from spoofing the source
address of whatever notification it is sending.  In particular, it could be
spoofing the destination address of your TCP connection attempt, and
claiming that said destination is refusing the connect.  If that is the
case, things get rather tricky.  You really cannot easily and definitively
trace this.  You might be able to deduce it by doing a series of TCP probes
along a traceroute path, and looking at the ICMP messages you get back.  
Fortunately, I don't think this kind of filtering is common outside of
fairly rare (read: deliberate deception) situations.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |

More information about the gnhlug-discuss mailing list