Check or Attack Name: traceroute

Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly, an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall. This information may allow an attacker to determine trusted routers and other network information.

False Positives: If traceroute is active on an internal network, this message does not represent a vulnerability. If tracerouting is possible through the firewall, your network is vulnerable.

Prevent or limit external tracerouting into internal networks via packet filtering.

Unix: The Unix version of the Scanner uses UDP packets to conduct a traceroute. Disallow incoming UDP packets with high-numbered destination ports. For more information, refer to your firewall documentation. ICMP packets are not found by Unix.

Windows NT: The NT version of the Scanner uses ICMP to conduct a traceroute. Disallow incoming ICMP packets with high-numbered destination ports. For more information, refer to your firewall documentation. UDP packets are not found by NT.

Note: Because the Unix and NT versions of the Scanner use different methods for traceroute, this vulnerability may occasionally be found by one version of the Scanner and not the other.