Foreword

The traceroute program is a common utility found on many Operating Systems that allow people to visually see what path (or route) an Internet packet takes one-way. Routers that are given the packet that you initiated hand off this packet to a router that is the next-hop for the destination.

In the example on the left you see a sample traceroute to www.leo.org.

How traceroute works

Traceroute takes advantage of a flag in the Internet Packet (IP) Header called the "Time to Live". The time to live can be set from 1 to 255 and should be decremented (value - 1) by every router that passes the packet. If the internet packet has a TTL of 0 after decrement, that packet must not be passed on and a Internet Control Messaging Protocol (ICMP) Time Exceeded in transit is returned to the packets origin. With the traceroute program one can manipulate the TTL of the packet it's sending and listens for the ICMP Time Exceed before incrementing the TTL for the next hop and repeating.

Adding (faked) routes

Given this knowledge it's trivial to change someones traceroutes output. Consider a host replying with a fake ICMP Time Exceeded message from a fake IP. The output would look anything similar to the second screenshot.

An example fake traceroute.

You can get a hold of sample code to the program causing this fake traceroute here (you need libpjp which is not provided, but the functions are easily replicated).

Deleting routes

Hiding a router from a traceroute is possible as well. As an example I have picked the IPSTEALTH code in the FreeBSD Project (/sys/netinet/ip_input.c).

$ sed -n 1706,1711p ip_input.c
#ifdef IPSTEALTH
        if (!ipstealth) {
#endif
                ip->ip_ttl -= IPTTLDEC;
#ifdef IPSTEALTH
        }
$ 
The code allows toggling the functionality of decrementing the time to live by IPTTLDEC (1). As the code will never decrement below a TTL of 1 no ICMP time exceeded is produced and thus the packet is routed on to another router that may produce such a message. One thing should be considered here. This way breaks protocol of RFC 791 (IPv4 standard) and thus would slowly cause a breakdown of reliability and functionality that the Internet was built for.

Adding routes to IPv6 traceroutes

I wrote a proof-of-concept for IPv6. The source is here, and here is a screenshot of it in action:

The concept is the same as in IPv4. And with the use of reverse DNS I was able to give the message "hello, why are you tracerouting6 me" to the person doing a UDP traceroute. (It doesn't work on ICMPv6 traceroute yet).

Afterword

The protocols of the Internet are part of 1 big program. When changed this program can give false or misleading data very easily. Thus it's best to not put 100% reliance on every traceroute you see. Thanks to Figz who provided proof of concept code in 1997, and helped me understand. Thankfully I had enough time to make my own programs to share this with you via this mini-paper.