Discovering Policy-Based Routes with Layer 4 Traceroutes (LFT)

I already published a few examples how you can use layer four traceroutes in order to pass firewall policies that block ping but allow some well-known ports such as 80 or 443. Long story short: Using TCP SYN packets on an opened firewall port with the TTL trick will probably succeed compared to a classical traceroute based on ICMP echo-requests.

Another nice use case for layer 4 traceroutes is the recognition of policy based routes within your own network (or even beyond). That is: Depending on the TCP/UDP port used for the traceroute you can reveal which paths your packets take over the network. This is quite useful compared to classical traceroutes that only reveal the straightforward routing tables but not the policy based ones.

Okay, here’s the deal: Set the port of your layer 4 traceroute to the one you’ve configured on your policy based forwarding rule at your firewall/router. This sends TCP SYNs along the PBR paths while the TTL trick (increasing the TTL; starting by 1) reveals the hops.

Here is an example. I configured a PBR rule forwarding ports 80 and 443 through another ISP. Tracerouting to with ICMP echo-requests -I the tool lists the common routing path. Using a layer four traceroute with the HTTP port -T -p 80 it lists the policy based routing path. Up to the 5th hop the paths are the same. The ICMP one finished after 12 hops while the HTTP one needed 17 through a completely different path:


You can additionally use the -A option to perform an AS path lookup as well:


That’s it.

If you’re interested in policy based routing/forwarding posts on my blog: Here are some for the firewalls from Palo Alto, Fortinet, Cisco, Juniper. Common acronyms are PBR or PBF.

Featured image “Very high frequency (VHF)” by caratello is licensed under CC BY-NC 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *