Anyone who has used Linux traceroute and Windows tracert knows that the two programs have very different command line options. But did you know that there is a fundamental difference in the way that these two programs work?
According to RFC1393, traceroute implementations are supposed to use the ICMP protocol. Indeed, the windows implementation does use ICMP. However, by default, the Linux implementation uses UDP, unless you apply the “-I” option, in which case it will use ICMP.
I googled to find out why Linux traceroute uses UDP by default but I couldn’t find any definitive reasons. In practice, I’ve found that there is no real performance benefit; both the UDP flavour and the ICMP flavour seem to take about the same amount of time to do their work.
I guess the real advantage of being able to choose between the UDP and ICMP flavours is that if a firewall along the route is configured to block ICMP, you can try UDP. Similarly, if a firewall blocks UDP you can try ICMP.
If want to allow someone to traceroute your internet host, you need to configure your firewall to allow it. For ICMP, you must accept (i.e. iptables -j ACCEPT) ICMP packets of type 0 (Echo Reply), 8 (Echo) and 30 (Traceroute).
The UDP firewall configuration is slightly different. For UDP, you must not drop (i.e. iptables -j DROP) UDP packets in the destination port range of 33434 to 33600. Note that you do not have open these ports (i.e. iptables -j ACCEPT). It is sufficient to simply reject (i.e. iptables -j REJECT) on these ports. Just don’t use “iptables -j DROP”, which will cause the UDP flavour of traceroute to fail. Note that there is no traceroute service for these ports (i.e. you don’t have to run any sort of traceroute server/daemon); indeed, for traceroute’s “-p” option, the man page says:
Set the base UDP port number used in probes (default is 33434). Traceroute hopes that nothing is listening on UDP ports base to base + nhops – 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is listening on a port in the default range, this option can be used to pick an unused port range.
Good luck and happy tracerouting!
Well actually both traceroute aplications use UDP..Windows and Linux.It’s because of the way traceroute works.It sends UDP packets with incremental TTL values in the level 3 header.At first it sends a packet with a TTl value of 1…adn the first router that receives the packet sets the TTL to 0..and when it has to forward it..it doesen;t do so because of the TTL field..thus it sends a Time Exceeded ICMP mesage back to the host.The next packet will have a TTL of 2 and so on and so forth.The implementation of traceroute is the same in Windows and Linux.Send UPD and receive ICMP.
Nope. I beg to differ, Bogdan. Windows tracert does NOT use UDP. It uses ICMP. Here is a snippet about tracert from the Windows Server 2003 help file:
Determines the path taken to a destination by sending Internet Control Message Protocol (ICMP) Echo Request or ICMPv6 messages to the destination with incrementally increasing Time to Live (TTL) field values.
More proof is here. See the part that says “The UNIX version of Tracert performs the same function as the Windows version except that the IP payload is a UDP packet”.
For the final evidence, note that when tracerouting to my office, Windows tracert worked and Linux traceroute did not work when our firewall policy was to DROP UDP packets.
If you’re inclined, hook up tcpdump and see for yourself.
Hi Joe;if I want block traceroute on linux what should I do?,if i deny ports from 33434 to 33600 ,it’s not enough ,because this range changed by -p parameter of traceroute.
and if I want block traceroute on a windows machine but ping will be open what do I do?!!!…block icmp-type echo request? so what happen for ping?!!! it also block.
what’s correct solution?
Ehsan,
To block traceroute on Linux, start by DROPping ports 33434 to 33600. Of course, you make a good point that this range can be overridden with the -p option. If you are REALLY paranoid, you can DROP all UDP traffic and then only open the ports that you have services running on. Sometimes this is easier said than done though. One way to figure out what UDP ports you are using is to run “netstat -nul”. This will show you all of the UDP port numbers that processes on your box are listening on.
As for blocking the ICMP flavor of traceroute/tracert, I think all you have to do is drop ICMP type 30 (traceroute). I think the following rule should do it:
iptables -A INPUT -p icmp –icmp-type 30 -j DROP
Nope – that will not do it. Windows does use ICMP, but it does not use the implementation described in RFC1393 (as far as I know, no operating system to date uses the RFC1393 implementation of traceroute -which uses a special IP option instead of low TTL values- ).
Windows uses “normal” ICMP echo requests with low TTL values. And the replies are ICMP type 11 (TTL exceeded), or ICMP type 0 (echo reply, when the destination has been reached).
So if you want to block both Windows and *NIX traceroutes, you need to either:
-block outgoing messages destined to UDP ports 33434 to 33534, AND outgoing ICMP echo-request messages
or
-block incoming ICMP type 11 and type 0 messages.
[and speaking of tcpdump - I have in front of me an Ethereal capture of a Windows tracert session, showing the messages I mentioned: outbound ICMP echo-requests, and inbound ICMP time-exceeded and echo-reply. ]
You made my day,I have both *nix machines and windows machines in our lab, tracerts were going thru from windows but not from *nix, i was wondering why, when google brot me to your page.
Now i know probably udp is blocked in my firewall..
Thanks dude.
Hi Joe, if i would like to disable block traceroute in windows server 2003 platform. What should i do?
I think the info you need is all in my blog post. To block ICMP traceroute, you could try configuring your firewall to drop ICMP packets of type 30 (Traceroute). You might also have to drop ICMP packets of type 0 (Echo Reply) and 8 (Echo). To block UDP traceroute, you could try configuring your firewall to drop UDP packets in the destination port range of 33434 to 33600. I hope that helps. There are probably a million web pages that could help you too.
I know this is old now, but it was the first useful google hit I got when trying to understand why UDP was used.
I eventually came upon this, which seems to give a nice answer: http://www.inetdaemon.com/tools/traceroute/definition.shtml
I seem to keep coming back to this page from time to time :)
This time, an answer to what you said in the post:
I googled to find out why Linux traceroute uses UDP by default but I couldn’t find any definitive reasons.
The reason is RFC792 (ICMP), which says:
To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages
This is the reason why Unix (and Linux, and Cisco, and other implementations) use UDP. Technically speaking, it is the Windows implementation that is breaking the RFC, not the other way around :)
Speaking of which – your article also says “According to RFC1393, traceroute implementations are supposed to use the ICMP protocol.”. While true in theory, that RFC refers to the use of the traceroute ICMP message – which has never been implemented on a large scale (see my previous message).
I think all you are trying to say Bogd is that the windows implementation uses type 8 instead of the dedicted traceroute types (30 etc).
The original blog is correct in the sense that windows uses icmp and linux udp.
On linux you can force traceroute to use ICMP over UDP with traceroute -P ICMP ipnr, note that the linux ICMP trace also uses type 8.
A belated thank-you for this! Very helpful and explains why a network engineer using Windows and I (using Linux) were seeing different things on our network.