There is an interesting way of knowing what kind of filters are placed in the gateway of a specific host. It is called firewalk and it is based on IP TTL expiration. The algorithm goes as follows:

  • The entire route is determined using any of the traceroute techniques available
  • A packet is sent with the TTL equal to the distance to the target
  • If the packet times out, it is resent with the TTL equal to the distance to the target minus one.
  • If an ICMP type 11 code 0 (Time-to-Live exceeded) is received, the packet was forwarded and so the port is not blocked.
  • If no response is received, the port is blocked on the gateway.

Let?s see this with a real example. Consider the following network diagram:

Firewalking happens with the following steps:

  1. Traceroute packets are sent to determine the gateway with decremental TTL:


2. An ICMP Time Exceeded message is received from the default gateway for the TTL=2 and TTL=1 packet, which means there are two gateways between origin and destination and TTL=3 is the distance to the destination

3. Several packets are sent with TTL=3 to the destination varying the destination port. The sequence goes as follows: A first packet is sent with TTL=3. If a timeout occurs, a second packet is sent with TTL=1. If an ICMP type 11 code 0 (Time-to-live exceeded) is received, the gateway is forwarding the packet.

Let?s see the first packet to port 1 and TTL=3:

Timeout occurs, so same packet is sent with TTL=2:

ICMP type 11 code 0 is sent from the gateway routing the destination host, which means the packet was forwarded and the port is opened:

How can we use this technique? Nmap has a firewalk script that can be used. For this example, the following command should be issued:

nmap --script=firewalk --traceroute

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ComputerCOP Supercut

A county sheriff from Limestone, Alabama is sticking by his department's endorsement of ComputerCOP, a shady piece of software given to parents to monitor their kids online. Other law enforcement agencies, it appears, have followed that example.

Earlier this week, the Electronic Frontier Foundation published an investigation into software called ComputerCOP which approximately 245 agencies in more than 35 states, plus the US Marshals, have been distributing to parents to use to monitor their children. The software is essentially spyware, and many versions come with a keylogger, which in some cases transmits unencrypted keystrokes to a server.

In addition to ComputerCOP's security issues, the EFF discovered misleading marketing materials that wrongly claimed endorsements from the US Department of the Treasury and the ACLU. “Law enforcement agencies have purchased a poor product, slapped their trusted emblems on it, and passed it on to everyday people. It’s time for those law enforcement agencies to take away ComputerCOP’s badge,” Dave Maass of the EFF wrote in an article that was republished on Ars on Wednesday.

Read 12 remaining paragraphs | Comments

Internet Storm Center Infocon Status