Re: Why some hosts in Internet not prefer to be traceroute-d ?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Tue, 25 Sep 2007 14:53:45 -0500
On Mon, 24 Sep 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <1190664052.482908.125240@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, Ashish Shukla
wrote:
NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.
I've traceroute-d hundreds of hosts and noticed some of the routers in
the routes or endpoint hosts prefer not to respond to traceroute's
i.e. not to send a TTL exceeded ICMP packet back to the host. As I
don't have any experience of working in a large network, so if someone
could tell me sysadmins used to creates such rules in their firewall,
like dropping TTL exceeded ICMP packets (dropping such packets in
their OUTPUT chain of their *iptables*, if they're running some Linux
router) .
The documentation that comes with the original LBL 'traceroute' from
Van Jacobson has a number of suggestions. However many network
administrators block such traffic as a simple security measure. They
feel that you have no valid reason to determine what their network
looks like. This block may be not generating ICMP type 11 (most
operating systems use TTLs adequate to reach nearly every destination
on the Internet, so it's not a huge loss), or block _all_ ICMP
(excepting possibly types 0 and 3 inbound, and type 8 outbound), and
all unsolicited UDP inbound (except to DNS servers). Still others
block all connections to areas of the world where they expect no
useful traffic, or where they perceive only abuse. Note that unless
you have a specific agreement to the contrary, anyone on the Internet
may decline or ignore your traffic.
I used to traceroute in unprivileged user mode, which is using UDP
probes. So do these sysadmins prefer blocking ICMP "TTL exceeded"
replies for UDP packets, than ICMP "TTL exceeded" for ICMP ECHO
packets, hmm... ? Or there is no such thing like blocking ICMP "TTL
exceeded" reply associated with a UDP packet, hmm... ?
Depends on the firewall.
What's the difference between a router and a endpoint host from
point-of-view of traceroute ?
man traceroute
The intermediate hops are returning an ICMP type 11 error when
dropping a packet with time exceeded. The endpoint is probably
returning an ICMP type 3 error.
Why some endpoint host, which has been blocking ICMP "TTL exceeded"
for UDP packet, is allowing "traceroute" associated with a UDP packet
for a listening port.
The endpoint should only return a Type 11 Code 1 of the packet were
fragmented. See RFC0792. See also RFC1122 and RFC1812.
BtW, above host can be tracerouted using ICMP but not UDP:
Other than DNS, there are comparatively few Internet services that
use UDP. See above.
Old guy
.
- Follow-Ups:
- Re: Why some hosts in Internet not prefer to be traceroute-d ?
- From: Ashish Shukla
- Re: Why some hosts in Internet not prefer to be traceroute-d ?
- From: Robert Nichols
- Re: Why some hosts in Internet not prefer to be traceroute-d ?
- References:
- Why some hosts in Internet not prefer to be traceroute-d ?
- From: Ashish Shukla
- Why some hosts in Internet not prefer to be traceroute-d ?
- Prev by Date: IPTables not forwarding from public to private subnet.
- Next by Date: IPsec in the tunnel mode
- Previous by thread: Why some hosts in Internet not prefer to be traceroute-d ?
- Next by thread: Re: Why some hosts in Internet not prefer to be traceroute-d ?
- Index(es):
Relevant Pages
|
