Michal Zalewski has just released a new security tool called 0trace. Here is a brief description about it :
This tool enables the user to perform hop enumeration (“traceroute”) within an established TCP connection, such as a HTTP or SMTP session.
This is opposed to sending stray packets, as traceroute-type tools usually do.
Here is the benefit of using the mechanism applied by 0trace “such traffic is happily allowed through by many stateful firewalls and other defenses without further inspection (since it is related to an entry in the connection table)”.
But it also has limitations. According to the announcement information, the tool will not produce interesting results in the following situations:
- Target’s firewall drops all outgoing ICMP messages,
- Target’s firewall does TTL or full-packet rewriting,
- There’s an application layer proxy / load balancer in the way (Akamai, in-house LBs, etc),
- There’s no notable layer 3 infrastructure behind the firewall.
You can get more information about this from LWN article.