Why Traceroute Fails for Major Sites: Network Security and ICMP Rate Limiting Explained


2 views

When running traceroute against major sites like Amazon, Yahoo, and eBay, you'll often encounter timeouts in the final hops before reaching the destination. This behavior isn't indicative of a network issue on your end, but rather intentional security measures implemented by these large-scale providers.

# Typical traceroute pattern for protected sites
$ traceroute amazon.com
...
12  * * *
13  * * *
14  *^C

There are several technical reasons why these companies prevent traceroute from completing:

  • ICMP Rate Limiting: Enterprise networks implement strict rate limits on ICMP responses to prevent network mapping and DDoS attacks
  • Edge Security Policies: Border routers often drop traceroute packets to obscure internal network topology
  • Load Balancer Behavior: Modern CDNs and load balancers may not respond to traceroute probes consistently

Traceroute operates by sending UDP packets (or ICMP echo requests on some implementations) with incrementing TTL values. Each hop should return an ICMP "Time Exceeded" message, revealing the router's IP. When this chain breaks:

# Python example showing traceroute logic
import socket
def simple_traceroute(dest, max_hops=30):
    port = 33434
    ttl = 1
    while True:
        recv_socket = socket.socket(socket.AF_INET, socket.SOCK_RAW, 
                                  socket.IPPROTO_ICMP)
        send_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM,
                                  socket.IPPROTO_UDP)
        send_socket.setsockopt(socket.SOL_IP, socket.IP_TTL, ttl)
        recv_socket.bind(("", port))
        send_socket.sendto(b"", (dest, port))
        try:
            _, curr_addr = recv_socket.recvfrom(512)
            print(f"{ttl}\t{curr_addr[0]}")
            if curr_addr[0] == dest:
                break
        except socket.error:
            print(f"{ttl}\t*")
        finally:
            send_socket.close()
            recv_socket.close()
            ttl += 1
            if ttl > max_hops:
                break

When standard traceroute fails, consider these alternatives:

  • TCP Traceroute: Uses TCP SYN packets instead of UDP/ICMP
  • MTR: Combines traceroute with ping statistics
  • Looking glasses: Use remote traceroute servers closer to the target
# Using mtr for more comprehensive analysis
$ mtr --report-wide --report-cycles 10 amazon.com

While incomplete traceroutes might seem concerning, they rarely indicate actual performance issues. Modern networks:

  • Prioritize production traffic over diagnostic packets
  • Implement fair queuing that may deprioritize ICMP
  • Use ECMP routing that can make paths appear broken

The key takeaway: Don't interpret traceroute failures as network problems without additional evidence from TCP-based tests or actual application performance metrics.

When running traceroute against major websites like Amazon, Yahoo, and eBay, you'll often see the path terminate before reaching the destination. This isn't a network issue on your end - it's a deliberate security measure implemented by these companies.

# Sample incomplete traceroute output
traceroute to amazon.com (176.32.103.205), 30 hops max, 60 byte packets
1  192.168.1.1 (192.168.1.1)  1.234 ms
...
15  * * *
16  * * *

Traceroute operates by sending packets with incrementally increasing TTL (Time To Live) values and analyzing ICMP "Time Exceeded" responses. The key components are:

  • UDP datagrams (traditional Unix traceroute)
  • ICMP Echo Request (Windows tracert)
  • TCP SYN packets (modern implementations)

Major platforms implement several protective measures:

# Example iptables rule that might block traceroute
iptables -A INPUT -p icmp --icmp-type time-exceeded -j DROP
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j DROP

Common reasons include:

  • Preventing network topology mapping
  • Reducing ICMP flood attacks
  • Minimizing unnecessary traffic
  • Protecting CDN infrastructure details

When traceroute fails, consider these alternatives:

# Using tcptraceroute (often bypasses filters)
tcptraceroute -n -p 443 amazon.com

# Using mtr (combines traceroute and ping)
mtr --report amazon.com

# Using curl for TCP connection testing
curl -v --connect-timeout 5 https://www.ebay.com

Even incomplete traceroutes provide valuable information:

  1. The last responsive hop often reveals the edge network
  2. Latency patterns can indicate congestion points
  3. Packet loss patterns help identify problematic segments

These signs suggest actual network issues rather than destination filtering:

  • Consistent packet loss before the destination blocks
  • Abnormally high latency in early hops
  • Failures with non-major sites that don't filter ICMP
# Testing non-filtered sites for comparison
traceroute google.com
traceroute cloudflare.com

With the rise of:

  • Anycast routing
  • Cloud-based load balancing
  • DDoS protection services

Traditional traceroute becomes less effective. Consider these tools for modern networks:

# Paris-traceroute for load-balanced paths
paris-traceroute -n amazon.com

# scapy-based custom traceroute
from scapy.all import *
ans,unans=sr(IP(dst="amazon.com", ttl=(1,30))/ICMP(), timeout=3)
ans.make_table(lambda x,y: (y[IP].src, y[ICMP].type))