Re: tracert from A to B dies just before reaching B -- and vice versa?

On Mon, 9 Feb 2009, in the Usenet newsgroup comp.os.linux.networking, in article
<37a3c87c-9aaf-4cf7-b639-8c3ee94f2d5e@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Bennett Haselton wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

For some reason they are unable to ping each other or ssh to each
other (even though each host is pingable from apparently everywhere
else). As recently as a few days ago, I was able to ssh from one to
the other so I have no idea what went wrong.

Someone changed the firewall/routing rules.

I did a tracert from 69.72.177.140 to 67.43.158.218, and the
traceroute died just before reaching 67.43.158.218. I took this to
mean that the problem was somewhere on the network hosting
67.43.158.218 (perhaps a router blocking incoming connections from
69.72.177.140 for some unknown reason), and reported the problem to
them:

Exactly which application did you use? "tracert" is the windoze
wanna-be application that uses ICMP echos (ping) as the trace. While
several later versions of the LBL "traceroute" _can_ use ICMP echos
(with the -i option), the default is to use UDP packets. It may
come as a surprise to you, but neither ICMP or UDP is used for SSH
connections, so failures of TRACERT.EXE or traceroute won't explain
TCP/IP connection problems. See the man page.

However, the network admins for 67.43.158.218 replied that they tried
doing the reverse -- doing traceroute from 67.43.158.218 back to
69.72.177.140 -- and it showed that the traceroute got almost the
entire distance, but died just before reaching 69.72.177.140:

Replace the providers with someone less incompetent.

This, to me, seems extremely weird.

But not exactly relavent. 'tracert' and 'traceroute' are not testing
the firewall rules that apply to TCP.

How can the traceroute work *almost* all the way, but not quite, in
both directions?

Dozens of explanations - most probably is the fact that firewall rules
can be directional, and that multiple protocols are in use.

If there were a firewall on one network that was preventing the
traceroute from completing in one direction, wouldn't it also stop the
traceroute in the other direction before it even got out the door?

Read the man page for tcpdump. It works by the originator sending out
packets (ICMP Type 8 or UDP to ports ~34334+) with a time to live of
"1". The router that receives such a packet decrements the TTL count,
sees that it is now zero, drops the packet, and MAY send back an ICMP
Type 11 Code 0 "Time Exceeded" error. The sender increments the TTL
and repeats - with the "next hop" discovering the TTL is zero, lather
rinse, repeat. When the originating TTL is large enough to reach the
destination, that host sends back an ICMP Type 0 (echo reply to a
ICMP type 8), or ICMP Type 3 Code 3 (port unreachable).

Now look on your system for the old but readable "Firewall-HOWTO" or
the more modern "packet-filtering-HOWTO" which you can find at
http://www.netfilter.org/documentation/HOWTO/. Notice that firewalls
can have different rules for "inbound" and "outbound" packets,
different protocols, and even different rules for the 25 types of ICMP
packets. The providers may or may not be using Linux, but the concepts
of packet filtering are the same.

Even without knowing what IS causing this, what is a plausible set of
conditions that COULD be causing it?

Depends on how the firewalls are configured - but it is a firewall
issue. If your providers can't _explain_ to you what they have done
and make some effort to fix the problem, replace them with someone who
can. You may also want to check the various RBL lists before you
sign any contract, and check news.admin.net-abuse.sightings for other
signs of trouble.

Old guy
.

Relevant Pages

  • Re: icmp type 11 not go via nat POSTROUTING table
    ... everthing is working as it "should", there is no reason for a "ICMP ... I generated two test icmp packets ... This is how traceroute knows the IP of the ... If x.y.z.t is a private IP address, it cannot be tracerouted anyway, so ...
    (comp.os.linux.networking)
  • Re: Am I being hacked?
    ... > incoming TCP packets are 'Allowed' on those ports. ... The term "stealth" is misleading. ... The online services that claim to test your firewall can be misleading ... but block normal ICMP echo requests. ...
    (comp.security.firewalls)
  • Re: Apache 1.3 Problems
    ... Did the server restart at all and if so are the ... >>>Sounds like a firewall issue. ... >> shows any tcp packets at all getting through except when lynx is run ... Can you show us a 'traceroute bbrb-isp.Stanford.EDU' from your machine? ...
    (freebsd-questions)
  • Re: Kerio 2.1.5 Vulnerability
    ... >>person is able to get packets to any port past the firewall if they wish. ... >>I researched this and posted in varous Kerio forums, ... > Description: Other ICMP ...
    (comp.security.firewalls)
  • Why some hosts in Internet not prefer to be traceroute-d ?
    ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... like dropping TTL exceeded ICMP packets (dropping such packets in ... I used to traceroute in unprivileged user mode, ... What's the difference between a router and a endpoint host from ...
    (comp.os.linux.networking)