An improvement to Traceroute

The network route from a destination is not always static.  Alot of routers allow load splitting.  Traceroute assumes a single path from a destination.

 Traceroute works by sending packets with varying Time To Live (TTL) fields.  Each time a packet is routed or forwarded, the TTL is decremented.  When the TTL reaches 0, a router should send a TTL Exceeded message to the origin.  The router in question identifies itself to the originator of the packet.  The reason for the TTL is to avoid packets being forwarded indefinately, due to routing loops or incorrectly configured routers.

The packet we send is arbitrary, but probably something like a TCP connection on port 80 which most people allow.  If we dont use a popular protocol we might get filtered.  If we set the TTL to 1, our packet will make it 1 hop before returning to us.  Then making it 2, it makes it 2 hops.  Making it 3 makes it return after 3 hops and so on.  If we continue until the packet finally makes it the destination, we can determine the route the packet takes.

Infact, its not strictly correct.  Assymetric routing means that packets are forwarded on different paths depending on wether the packets originate from the source or destination.  That is, the source takes a different path to the destination compared to packets travelling from the destination to the source.

In addition to determing network routes, firewalls can be detected along the way by differences in packet filtering and handling of the TTL.

A better apprach though than the one I described is to send multiple packets on each TTL being used.  This way we can detect routers that are using load balancing techniques.  By drawing a map using the results we get a much clearer indication of the network topology, and discover that load balancing is used almost everywhere.

I wrote a program that did this in 2002, which I since lost into internet oblivious.  I think something like xtraceroute would be ideal to add to any system.


2 responses to “An improvement to Traceroute

  1. Yep we used to do this by hand but now would probably use something like paris:

    There’ll be a lot more fun to be had with timing/ttl, I suspect 🙂

  2. This statistical method (send of many packets to guess the load balancing device) sounds to me like the approach that Juan M. Bello Rivas (rwxrwxrwx) tried with HTTP load balancers. You’ve probably heard about its implementation in a famous vulnerability assessment product 😉 ! But, you may not know that Juan did the same job in a workalone python program : It is called halberd

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s