I already published a few examples how you can use layer four traceroutes in order to pass firewall policies that block ping but allow some well-known ports such as 80 or 443. Long story short: Using TCP SYN packets on an opened firewall port with the TTL trick will probably succeed compared to a classical traceroute based on ICMP echo-requests.
Another nice use case for layer 4 traceroutes is the recognition of policy based routes within your own network (or even beyond). That is: Depending on the TCP/UDP port used for the traceroute you can reveal which paths your packets take over the network. This is quite useful compared to classical traceroutes that only reveal the straightforward routing tables but not the policy based ones.
Okay, here’s the deal: Set the port of your layer 4 traceroute to the one you’ve configured on your policy based forwarding rule at your firewall/router. This sends TCP SYNs along the PBR paths while the TTL trick (increasing the TTL; starting by 1) reveals the hops.
Here is an example. I configured a PBR rule forwarding ports 80 and 443 through another ISP. Tracerouting to weberblog.net with ICMP echo-requests -I the tool lists the common routing path. Using a layer four traceroute with the HTTP port -T -p 80 it lists the policy based routing path. Up to the 5th hop the paths are the same. The ICMP one finished after 12 hops while the HTTP one needed 17 through a completely different path:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
pi@pi01-test1:~ $ sudo traceroute -I weberblog.net traceroute to weberblog.net (5.35.226.136), 30 hops max, 60 byte packets 1 192.168.124.1 (192.168.124.1) 1.731 ms 2.243 ms 2.777 ms 2 192.168.127.1 (192.168.127.1) 1.680 ms 2.037 ms 2.779 ms 3 192.168.122.1 (192.168.122.1) 2.472 ms 3.023 ms 3.481 ms 4 192.168.121.5 (192.168.121.5) 1.339 ms 1.404 ms 1.193 ms 5 pa-trust-server.webernetz.net (192.168.120.1) 1.126 ms 1.365 ms 1.198 ms 6 87.190.30.97 (87.190.30.97) 1.878 ms 1.652 ms 2.231 ms 7 87.191.125.21 (87.191.125.21) 3.050 ms 2.705 ms 2.729 ms 8 62.154.14.106 (62.154.14.106) 11.653 ms 11.513 ms 11.418 ms 9 62.157.250.82 (62.157.250.82) 6.851 ms 6.872 ms 6.929 ms 10 ae7.dr-slave.r2.cgn3.plusserver.com (87.230.114.182) 7.395 ms 7.706 ms 7.624 ms 11 * * * 12 5.35.226.136 (5.35.226.136) 7.325 ms 7.088 ms 6.610 ms pi@pi01-test1:~ $ pi@pi01-test1:~ $ pi@pi01-test1:~ $ sudo traceroute -T -p 80 weberblog.net traceroute to weberblog.net (5.35.226.136), 30 hops max, 60 byte packets 1 192.168.124.1 (192.168.124.1) 1.809 ms 1.984 ms 2.169 ms 2 192.168.127.1 (192.168.127.1) 1.730 ms 2.003 ms 2.280 ms 3 192.168.122.1 (192.168.122.1) 2.144 ms 2.773 ms 3.053 ms 4 192.168.121.5 (192.168.121.5) 1.276 ms 1.392 ms 0.992 ms 5 pa-trust-server.webernetz.net (192.168.120.1) 3.456 ms 3.197 ms 2.952 ms 6 10.49.254.1 (10.49.254.1) 3.681 ms 3.076 ms 4.284 ms 7 10.49.253.2 (10.49.253.2) 2.513 ms 3.320 ms 7.985 ms 8 dslb-094-219-112-001.094.219.pools.vodafone-ip.de (94.219.112.1) 27.365 ms 27.536 ms 27.312 ms 9 * * * 10 92.79.214.234 (92.79.214.234) 33.312 ms 92.79.214.110 (92.79.214.110) 20.093 ms 92.79.214.234 (92.79.214.234) 19.615 ms 11 145.254.2.175 (145.254.2.175) 20.759 ms 21.659 ms 145.254.2.191 (145.254.2.191) 23.617 ms 12 et-7-0-0.cr-polaris.fra1.core.heg.com (80.81.192.239) 24.348 ms 21.667 ms 21.357 ms 13 ae0.cr-antares.fra10.core.heg.com (87.230.114.118) 56.482 ms 27.170 ms 26.863 ms 14 ae4.cr-nashira.cgn4.core.heg.com (87.230.114.121) 46.804 ms 45.780 ms 45.453 ms 15 ae7.dr-slave.r2.cgn3.plusserver.com (87.230.114.182) 27.411 ms 33.728 ms 33.500 ms 16 * * * 17 5.35.226.136 (5.35.226.136) 39.056 ms 24.522 ms 23.156 ms |
You can additionally use the -A option to perform an AS path lookup as well:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
pi@pi01-test1:~ $ sudo traceroute -I -A weberblog.net traceroute to weberblog.net (5.35.226.136), 30 hops max, 60 byte packets 1 192.168.124.1 (192.168.124.1) [*] 1.829 ms 2.206 ms 2.604 ms 2 192.168.127.1 (192.168.127.1) [*] 2.073 ms 2.645 ms 3.232 ms 3 192.168.122.1 (192.168.122.1) [*] 2.612 ms 3.307 ms 3.984 ms 4 192.168.121.5 (192.168.121.5) [*] 1.360 ms 1.415 ms 1.159 ms 5 pa-trust-server.webernetz.net (192.168.120.1) [*] 1.652 ms 1.467 ms 1.420 ms 6 87.190.30.97 (87.190.30.97) [AS3320] 1.882 ms 1.604 ms 2.030 ms 7 87.191.125.21 (87.191.125.21) [AS3320] 1.954 ms 1.946 ms 2.069 ms 8 62.154.14.106 (62.154.14.106) [AS3320] 11.940 ms 11.802 ms 11.813 ms 9 62.157.250.82 (62.157.250.82) [AS3320] 7.168 ms 7.184 ms 7.249 ms 10 ae7.dr-slave.r2.cgn3.plusserver.com (87.230.114.182) [AS20773] 7.387 ms 7.395 ms 7.138 ms 11 * * * 12 5.35.226.136 (5.35.226.136) [AS20773] 7.511 ms 7.432 ms 7.049 ms pi@pi01-test1:~ $ pi@pi01-test1:~ $ pi@pi01-test1:~ $ sudo traceroute -T -p 80 -A weberblog.net traceroute to weberblog.net (5.35.226.136), 30 hops max, 60 byte packets 1 192.168.124.1 (192.168.124.1) [*] 1.746 ms 1.951 ms 2.282 ms 2 192.168.127.1 (192.168.127.1) [*] 1.488 ms 1.631 ms 1.967 ms 3 192.168.122.1 (192.168.122.1) [*] 2.244 ms 2.812 ms 3.299 ms 4 192.168.121.5 (192.168.121.5) [*] 1.528 ms 1.280 ms 0.935 ms 5 pa-trust-server.webernetz.net (192.168.120.1) [*] 1.073 ms 1.163 ms 1.166 ms 6 10.49.254.1 (10.49.254.1) [*] 2.215 ms 3.043 ms 4.204 ms 7 10.49.253.2 (10.49.253.2) [*] 2.480 ms 2.706 ms 4.336 ms 8 dslb-094-219-112-001.094.219.pools.vodafone-ip.de (94.219.112.1) [AS3209] 18.146 ms 20.333 ms 21.650 ms 9 * * * 10 92.79.214.110 (92.79.214.110) [AS3209] 25.289 ms 92.79.214.234 (92.79.214.234) [AS3209] 25.915 ms 29.191 ms 11 145.254.2.191 (145.254.2.191) [AS3209] 30.130 ms 18.708 ms 19.381 ms 12 et-7-0-0.cr-polaris.fra1.core.heg.com (80.81.192.239) [*] 20.041 ms 22.848 ms 23.484 ms 13 ae0.cr-antares.fra10.core.heg.com (87.230.114.118) [AS20773] 19.559 ms 20.123 ms 21.516 ms 14 ae4.cr-nashira.cgn4.core.heg.com (87.230.114.121) [AS20773] 25.795 ms 26.393 ms 28.233 ms 15 ae7.dr-slave.r2.cgn3.plusserver.com (87.230.114.182) [AS20773] 30.804 ms 49.297 ms 49.834 ms 16 * * * 17 5.35.226.136 (5.35.226.136) [AS20773] 24.835 ms 28.362 ms 28.192 ms |
That’s it.
If you’re interested in policy based routing/forwarding posts on my blog: Here are some for the firewalls from Palo Alto, Fortinet, Cisco, Juniper. Common acronyms are PBR or PBF.
Featured image “Very high frequency (VHF)” by caratello is licensed under CC BY-NC 2.0.