Issue:
Palo Alto Networks has an application for ping, but not for traceroute - how can I block traceroute?
Resolution:
The challenge with traceroute is that different OS's and applications implement the traceroute function differently. The standard Windows traceroute run the MS-DOS prompt which sends ICMP echo request packets to the destination, incrementing the IP TTL for each hop. The standard Unix traceroute, on the other hand, sends UDP packets using ports 33434-33534 to the destination incrementing the IP TTL for each hop.
With this behavior in mind, to block Windows traceroutes, create a security rule using the "ping" application. To block Unix traceroutes use a custom application created for UDP ports 33434-33534.
To differentiate between ping and traceroute for Windows it appears that the ICMP packets used by Windows for traceroutes have "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" in the ICMP payload. Conversely, ICMP packets used by Windows for ping have "61:62:63:64:65:66:67:68:69:6a:6b:6c:6d:6e:6f:70:71:72:73:74:75:76:77:61:62:63:64:65:66:67:68:69" in the payload. A custom application could be created based on this information, but there would be no guarantee Microsoft or the person running the traceroute would not change the data contained within the payload.
There may be other available applications that implement differently. To block those, capture the traceroute traffic to observe its behavior and then create a custom application for it.
owner: jwoodburn