Why some hosts in Internet not prefer to be traceroute-d ?

Hi,

I'm not sure if this post comes under topic for this list, or right
place to clear my networking doubts, so tagging this post "[OT]".

I've traceroute-d hundreds of hosts and noticed some of the routers in
the routes or endpoint hosts prefer not to respond to traceroute's
i.e. not to send a TTL exceeded ICMP packet back to the host. As I
don't have any experience of working in a large network, so if someone
could tell me sysadmins used to creates such rules in their firewall,
like dropping TTL exceeded ICMP packets (dropping such packets in
their OUTPUT chain of their *iptables*, if they're running some Linux
router) .

I used to traceroute in unprivileged user mode, which is using UDP
probes. So do these sysadmins prefer blocking ICMP "TTL exceeded"
replies for UDP packets, than ICMP "TTL exceeded" for ICMP ECHO
packets, hmm... ? Or there is no such thing like blocking ICMP "TTL
exceeded" reply associated with a UDP packet, hmm... ?

What's the difference between a router and a endpoint host from
point-of-view of traceroute ?

Why some endpoint host, which has been blocking ICMP "TTL exceeded"
for
UDP packet, is allowing "traceroute" associated with a UDP packet
for a listening port. This I encountered while trying to "traceroute
66.179.175.2". I've posted the whole experience at following URL:

http://wahjava.wordpress.com/2007/09...lt-traceroute/

BtW, above host can be tracerouted using ICMP but not UDP:

-- begin dump --
[wahjava@chatteau ~]$ sudo traceroute -n -I 66.179.175.2
Password:
traceroute to 66.179.175.2 (66.179.175.2), 30 hops max, 40 byte
packets
1 * * *
2 202.56.215.230 38.221 ms 41.175 ms 43.159 ms
3 122.160.220.154 45.114 ms 47.115 ms 49.081 ms
4 203.101.83.197 51.073 ms * 53.020 ms
5 125.21.167.25 111.045 ms 112.970 ms 115.947 ms
6 208.192.179.97 350.955 ms 321.876 ms 320.912 ms
7 152.63.22.74 331.900 ms 331.915 ms 331.925 ms
8 152.63.96.10 380.930 ms 380.894 ms 380.924 ms
9 152.63.97.21 373.886 ms 375.914 ms 374.944 ms
10 157.130.155.154 375.842 ms 376.888 ms 384.888 ms
11 66.179.168.11 366.902 ms 366.932 ms 366.901 ms
12 66.179.80.100 362.945 ms 362.918 ms 363.908 ms
13 66.179.175.2 376.909 ms 381.914 ms 380.902 ms
14 66.179.175.2 375.000 ms 374.957 ms 373.920 ms
-- end dump --

Thanks in advance.
Ashish Shukla
--
http://wahjava.wordpress.com/

On Mon, 24 Sep 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed). com>, Ashish Shukla
wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>I've traceroute-d hundreds of hosts and noticed some of the routers in
>the routes or endpoint hosts prefer not to respond to traceroute's
>i.e. not to send a TTL exceeded ICMP packet back to the host. As I
>don't have any experience of working in a large network, so if someone
>could tell me sysadmins used to creates such rules in their firewall,
>like dropping TTL exceeded ICMP packets (dropping such packets in
>their OUTPUT chain of their *iptables*, if they're running some Linux
>router) .

The documentation that comes with the original LBL 'traceroute' from
Van Jacobson has a number of suggestions. However many network
administrators block such traffic as a simple security measure. They
feel that you have no valid reason to determine what their network
looks like. This block may be not generating ICMP type 11 (most
operating systems use TTLs adequate to reach nearly every destination
on the Internet, so it's not a huge loss), or block _all_ ICMP
(excepting possibly types 0 and 3 inbound, and type 8 outbound), and
all unsolicited UDP inbound (except to DNS servers). Still others
block all connections to areas of the world where they expect no
useful traffic, or where they perceive only abuse. Note that unless
you have a specific agreement to the contrary, anyone on the Internet
may decline or ignore your traffic.

>I used to traceroute in unprivileged user mode, which is using UDP
>probes. So do these sysadmins prefer blocking ICMP "TTL exceeded"
>replies for UDP packets, than ICMP "TTL exceeded" for ICMP ECHO
>packets, hmm... ? Or there is no such thing like blocking ICMP "TTL
>exceeded" reply associated with a UDP packet, hmm... ?

Depends on the firewall.

>What's the difference between a router and a endpoint host from
>point-of-view of traceroute ?

man traceroute

The intermediate hops are returning an ICMP type 11 error when
dropping a packet with time exceeded. The endpoint is probably
returning an ICMP type 3 error.

>Why some endpoint host, which has been blocking ICMP "TTL exceeded"
>for UDP packet, is allowing "traceroute" associated with a UDP packet
>for a listening port.

The endpoint should only return a Type 11 Code 1 of the packet were
fragmented. See RFC0792. See also RFC1122 and RFC1812.

>BtW, above host can be tracerouted using ICMP but not UDP:

Other than DNS, there are comparatively few Internet services that
use UDP. See above.

Old guy

In article <(E-Mail Removed)>,
Moe Trin <(E-Mail Removed)> wrote:
:
:Other than DNS, there are comparatively few Internet services that
:use UDP. See above.

Yes, NTP is about the only other one I make much use of. Of course the
biggest use of UDP today has got to be Microsoft Messenger Service spam.

--
Bob Nichols AT comcast.net I am "RNichols42"

Robert Nichols <(E-Mail Removed)> writes:

> In article <(E-Mail Removed)>,
> Moe Trin <(E-Mail Removed)> wrote:
> :
> :Other than DNS, there are comparatively few Internet services that
> :use UDP. See above.
>
> Yes, NTP is about the only other one I make much use of. Of course the
> biggest use of UDP today has got to be Microsoft Messenger Service spam.

He did say "services", after all

Moe Trin \/\/|20+3:

[...]

> The endpoint should only return a Type 11 Code 1 of the packet were
> fragmented. See RFC0792. See also RFC1122 and RFC1812.

Thanks for pointing to these RFCs.

>
> >BtW, above host can be tracerouted using ICMP but not UDP:
>
> Other than DNS, there are comparatively few Internet services that
> use UDP. See above.
>
> Old guy

Ashish Shukla
--
http://wahjava.wordpress.com/