Search code examples
networkingtcptraceroute

Traceroute using tcp packets reach the destination in just one hop

I'm studying some useful unix networking tools like traceroute and I found a strange behaviour using tcp packets instead of using udp or icmp ones.

In particular, if I try to traceroute whatever website the system reaches the destination in just one hops. These are some trials I did:

$ traceroute -T google.com
traceroute to google.com (216.58.209.46), 30 hops max, 60 byte packets
 1  mil07s12-in-f14.1e100.net (216.58.209.46)  10.316 ms  10.263 ms  10.241 ms

$ traceroute -T tomshw.com
traceroute to tomshw.com (64.190.63.111), 30 hops max, 60 byte packets
 1  64.190.63.111 (64.190.63.111)  2.940 ms  2.900 ms  2.878 ms

$ traceroute -T corriere.it
traceroute to corriere.it (185.53.36.36), 30 hops max, 60 byte packets
 1  cache.corriere.it (185.53.36.36)  6.123 ms  6.063 ms  6.017 ms

$ traceroute -T facebook.com
traceroute to facebook.com (157.240.203.35), 30 hops max, 60 byte packets
 1  edge-star-mini-shv-01-mxp2.facebook.com (157.240.203.35)  2.889 ms  2.855 ms  2.838 ms

$ traceroute -T interno.gov.it
traceroute to interno.gov.it (99.86.153.34), 30 hops max, 60 byte packets
 1  server-99-86-153-34.mxp64.r.cloudfront.net (99.86.153.34)  5.960 ms  5.923 ms  5.892 ms

Instead, using udp packets or icmp packets the destination is reachead in a reasonable number of hops:

$ traceroute google.com
traceroute to google.com (216.58.209.46), 30 hops max, 60 byte packets
 1  _gateway (192.168.182.1)  24.216 ms  24.172 ms  24.155 ms
 2  192.168.10.1 (192.168.10.1)  24.143 ms  24.117 ms  24.088 ms
 3  82.113.192.132 (82.113.192.132)  33.846 ms  33.818 ms  33.800 ms
 4  185.25.74.93 (185.25.74.93)  47.396 ms  47.379 ms  47.367 ms
 5  hu-0-0-1-2.ncs55-1-jn.network.twt.it (185.25.74.130)  47.350 ms  47.337 ms  54.092 ms
 6  142.250.169.248 (142.250.169.248)  54.073 ms  32.662 ms  35.847 ms
 7  * * *
 8  108.170.245.65 (108.170.245.65)  35.724 ms  61.251 ms 216.239.40.200 (216.239.40.200)  51.454 ms
 9  108.170.245.73 (108.170.245.73)  131.758 ms 108.170.232.181 (108.170.232.181)  105.612 ms 108.170.245.73 (108.170.245.73)  131.720 ms
10  172.253.71.141 (172.253.71.141)  61.114 ms mil07s12-in-f14.1e100.net (216.58.209.46)  61.095 ms  61.126 ms

$ traceroute -I google.com
traceroute to google.com (216.58.209.46), 30 hops max, 60 byte packets
 1  _gateway (192.168.182.1)  21.592 ms  37.848 ms  41.086 ms
 2  192.168.10.1 (192.168.10.1)  47.584 ms  50.838 ms  54.088 ms
 3  82.113.192.132 (82.113.192.132)  57.354 ms  63.878 ms  63.870 ms
 4  185.25.74.93 (185.25.74.93)  63.861 ms  63.846 ms  63.901 ms
 5  hu-0-0-1-2.ncs55-1-jn.network.twt.it (185.25.74.130)  63.891 ms  1457.578 ms  1457.568 ms
 6  142.250.169.248 (142.250.169.248)  70.296 ms  14.804 ms  33.535 ms
 7  209.85.242.39 (209.85.242.39)  82.764 ms  82.748 ms  82.731 ms
 8  108.170.232.169 (108.170.232.169)  82.712 ms  82.696 ms  82.745 ms
 9  mil07s12-in-f14.1e100.net (216.58.209.46)  225.226 ms  228.457 ms  228.433 ms

Looking at Wireshark I have a synack for the first syn probe that has ttl = 1 and it is strange because it should expire.

Finally, trying to change the port, for example to 22, it seams to work a bit:

$ traceroute -T -p 22 google.com
traceroute to google.com (216.58.209.46), 30 hops max, 60 byte packets
 1  _gateway (192.168.182.1)  10.014 ms  9.943 ms  9.921 ms
 2  192.168.10.1 (192.168.10.1)  13.022 ms  12.947 ms  12.917 ms
 3  82.113.192.132 (82.113.192.132)  38.882 ms  38.855 ms  38.832 ms
 4  185.25.74.93 (185.25.74.93)  38.802 ms  38.846 ms  38.818 ms
 5  hu-0-0-1-2.ncs55-1-jn.network.twt.it (185.25.74.130)  38.790 ms  38.765 ms  38.748 ms
 6  142.250.169.248 (142.250.169.248)  38.649 ms  10.215 ms  10.256 ms
 7  * * *
 8  * * *
...
29  * * *
30  * * *

$ traceroute -T -p 22 tomshw.com
traceroute to tomshw.com (64.190.63.111), 30 hops max, 60 byte packets
 1  _gateway (192.168.182.1)  5.657 ms  5.594 ms  5.567 ms
 2  192.168.10.1 (192.168.10.1)  12.123 ms  12.099 ms  12.075 ms
 3  82.113.192.132 (82.113.192.132)  17.724 ms  20.958 ms  20.934 ms
 4  185.25.74.93 (185.25.74.93)  24.177 ms  24.154 ms  24.198 ms
 5  te-0-2-0-1.asr9kp-jn.network.twt.it (82.113.194.246)  20.835 ms  20.812 ms  20.817 ms
 6  81.25.202.185 (81.25.202.185)  24.095 ms  15.309 ms  18.446 ms
 7  mno-b3-link.ip.twelve99.net (62.115.144.98)  18.414 ms  14.755 ms  17.877 ms
 8  ffm-bb2-link.ip.twelve99.net (62.115.116.172)  29.702 ms  39.470 ms  39.454 ms
 9  mcn-b3-link.ip.twelve99.net (62.115.124.47)  39.430 ms  39.407 ms  39.374 ms
10  internetx-ic332227-mcn-b2.ip.twelve99-cust.net (62.115.160.178)  39.350 ms  39.355 ms  39.329 ms
11  91.195.241.102 (91.195.241.102)  39.269 ms  39.239 ms  164.766 ms
12  91.195.241.118 (91.195.241.118)  167.982 ms  167.951 ms 91.195.241.114 (91.195.241.114)  207.035 ms
13  64.190.63.111 (64.190.63.111)  206.969 ms  206.940 ms  203.627 ms

What could be the explanation to this behaviour ? The operating system I'm using is Kubuntu 21.10 with default settings so I would exclude proxies or something like that.

Solution

  • traceroute man says:

    tcp -T

    Well-known modern method, intended to bypass firewalls. Uses the constant destination port (default is 80, http).

    so it seems there is some kind of invisible proxy for 80 port in your network