You are the security administrator for a large network. You want to prevent attackers from running
any sort of traceroute into your DMZ and discover the internal structure of publicly accessible
areas of the network.
How can you achieve this?
A.
Block ICMP at the firewall.
B.
Block UDP at the firewall.
C.
Both A and B.
D.
There is no way to completely block doing a trace route into this area.
Explanation:
When you run a traceroute to a target network address,you send a UDP packet with
one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0
and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP
message type 11 (Exceeded) code 0 (TTL–Exceeded) packet to your system with a source
address. Your system displays the round-trip time for that first hop and sends out the next UDP
packet with a TTL of 2.
This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port–Unreachable) from the destination system. Traceroute is completed when your machine receives a
Port-Unreachable message.
If you receive a message with three asterisks [* * *] during the traceroute,a router in the path
doesn’t return ICMP messages. Traceroute will continue to send UDP packets until the destination
is reached or the maximum number of hops is exceeded.
I disagree, traceroute can be blocked. Bad question, but give them the answer they want
http://www.ehow.com/how_7575301_block-traceroute.html
Many thanks for the inspiring site you’ve set up at aiotestking.com. Your enthusiastic take on the subject is certainly contagious. Thanks again!
http://www.lookweb.it/nativeamericanindianflute64788