Traceroute: How It Works and Overcoming Firewall Limitations

Understanding the Basics

When we execute a traceroute command, our machine sends out 3 UDP packets with a TTL (Time-to-Live) of 1. When those packets reach the next hop router, it will decrease the TTL to 0 and thus reject the packet. It will send an ICMP Time-to-Live Exceeded (Type 11), TTL equal 0 during transit (Code 0) back to our machine - with a source address of itself, therefore we now know the address of the first router.

Next our machine will send 3 UDP packets with a TTL of 2, thus the first router that we already know passes the packets on to the next router after reducing the TTL by 1 to 1. The next router decreases the TTL to 0, thus rejecting the packet and sending the same ICMP Time-to-Live Exceeded with its address as the source back to our machine. Thus we now know two paths.

This process keeps going until we reach the destination. Since we are sending UDP packets with the destination address of the host we are concerned with, once it gets to the destination the UDP packet is wanting to connect to the port that we have sent as the destination port. Since it is an uncommon port, it will most likely be rejected with an ICMP Destination Unreachable (Type 3), Port Unreachable (Code 3). This ICMP message is sent back to our machine, which will understand this as being the last hop, therefore traceroute will exit.

The Firewall Problem

The regular traceroute usually uses either ICMP or UDP protocols. Unfortunately, firewalls and routers often block the ICMP protocol completely or disallow the ICMP echo requests (ping requests), and/or block various UDP ports.

When we execute traceroute using ICMP or UDP using commands:

traceroute -I www.microsoft.com (ICMP)
traceroute -U www.microsoft.com (UDP)

After some couple of message exchanges, we often end up getting * * * as the firewall blocks our message.

The TCP Solution

So how do we get the actual address of the destination host? The answer: using traceroute over TCP.

To our surprise, executing:

traceroute -T -p 80 www.microsoft.com

returns the exact IP address!

Of course, there are lots of traceroute implementations, and if your system doesn't have the one as stated above, please check http://michael.toren.net/code/tcptraceroute/

Why TCP Works Better

TCP traceroute works better in these situations because many firewalls are configured to allow TCP traffic on common ports like 80 (HTTP) and 443 (HTTPS), as blocking these would prevent normal web browsing. By using TCP on these permitted ports, we can often bypass the restrictions that would block traditional ICMP or UDP traceroute attempts.

This technique is particularly useful when troubleshooting connectivity issues to web servers or other services that primarily communicate over TCP.

Practical Applications

This knowledge can be invaluable when:

• Diagnosing network connectivity issues
• Identifying where packets are being dropped in a network path
• Mapping network topologies behind firewalls
• Performing security assessments

Next time you're faced with a traceroute that's showing stars instead of hops, remember to try the TCP variant - it might just reveal the full path you're looking for.