Why does traceroute fail for amazon.com, yahoo.com, and ebay.com?

security networking

While troubleshooting performance issues on our network, I ran traceroute on various websites. The following websites would repeatedly not complete traceroute:

  • yahoo.com
  • amazon.com
  • ebay.com

Questions

  • Are these sites protecting their network such that traceroute is not able to complete?
  • I assume that this is based on these websites' networks and is unrelated to our network performance issues. Is that a safe assumption to make?

Example Traceroute for ebay.com

$ traceroute ebay.com
traceroute: Warning: ebay.com has multiple addresses; using 66.135.205.13
traceroute to ebay.com (66.135.205.13), 64 hops max, 52 byte packets
 1  10.10.100.1 (10.10.100.1)  56.518 ms  2.390 ms  2.082 ms
 2  mo-69-34-118-1.sta.embarqhsd.net (69.34.118.1)  9.943 ms  10.007 ms  10.177 ms
 3  mo-69-68-209-249.dyn.embarqhsd.net (69.68.209.249)  10.976 ms  21.159 ms  10.015 ms
 4  ge-6-20.car1.stlouis1.level3.net (4.53.160.13)  26.562 ms  26.278 ms  25.818 ms
 5  ae-11-11.car2.stlouis1.level3.net (4.69.132.186)  26.393 ms  26.519 ms  79.884 ms
 6  ae-4-4.ebr2.chicago1.level3.net (4.69.132.190)  32.965 ms  26.123 ms  48.123 ms
 7  ae-5-5.ebr2.chicago2.level3.net (4.69.140.194)  27.308 ms  26.784 ms  26.693 ms
 8  ae-2-52.edge4.chicago3.level3.net (4.69.138.166)  27.137 ms  26.473 ms  27.047 ms
 9  chp-brdr-03.inet.qwest.net (63.146.27.17)  26.315 ms  26.329 ms  26.449 ms
10  dvr-edge-13.inet.qwest.net (67.14.24.89)  51.270 ms  51.355 ms  51.134 ms
11  * * *
12  * * *
. . . . .
33  * * *
34  * *^C

Solution 1:

If you block some ICMP traffic, for firewalling or whatever reason, then traceroutes don't fully work. They're a mixture of UDP (the DNS lookups) and ICMP usually.

If you run traceroute -I yahoo.com or traceroute -T yahoo.com you should see different results (yahoo.com completes for me). This uses ICMP echo and TCP SYNs.

From the traceroute command's man page on Linux:

In the modern network environment the traditional traceroute methods can not be always applicable, because of widespread use of firewalls. Such firewalls filter the "unlikely" UDP ports, or even ICMP echoes. To solve this, some additional tracerouting methods are implemented (including tcp), see LIST OF AVAILABLE METHODS below. Such methods try to use particular protocol and source/destination port, in order to bypass firewalls (to be seen by firewalls just as a start of allowed type of a network session).

Solution 2:

Traceroute uses groups of ICMP messages. each has 3 ICMP messages. (HOP count increment by one in each group of messages).

Usually admins block ICMP packets to "protect" their network. (mostly to obscure the structure of network and DoS).

That's why you get stars.

Related

Is it bad to edit cron file manually?
Amazon S3 Console: How to find total number of files with in a folder? [duplicate]
How can I convince my IT manager to upgrade the enterprise from IE6 to a newer browser?
Is using 2 solid state drives in RAID 0 going to be reliable?
Rename files to empty filename in Windows (Vista)
RAID configuration for large NAS
SVN: Where is my repository?
Linux tools to find duplicate files?
How do I pipe the output of uptime/df to curl?
Are separate dns records necessary for web and mail on a single server?
Clusterssh alternative for managing multiple SSH server [closed]
What is the best way to gain access when the password is unknown?