networking - Conditions that trigger a TTL-exceeded ICMP reply

06
2014-04
  • misteryes

    I use traceroute to send udp packets with TTL=1

      traceroute -U -p 5000 138.96.116.9 -m 1 -q 1

    I can get TTL-exceeded ICMP reply.

    Then I wrote a program to send a udp packet with TTL=1, but I don't capture ICMP reply.

    These packets are in the following link:

    https://docs.google.com/file/d/0B-LaBUj9KtQhZ2VGdThSbGphTGs/edit?usp=sharing

    the first UDP packet is sent by traceroute while the third is by my program.

    my question is:

    Why the UDP packet from my program doesn't trigger a TTL-exceeded ICMP reply?

    FYI: The vantage point where I send the packet is a virtual slice on a planetlab node.

    Planetlab nodes are share by many virtual slices.

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    linux - What is ICMP broadcast good for?
  • brahima

    To configure Linux to ignore ICMP broadcasts (to protect from SMURF attacks), I have added the following line to /etc/sysctl.conf:

    net.ipv4.icmp_echo_ignore_broadcasts = 1

    Anyone knows what are the drawbacks of ignoring ICMP broadcasts? In other words what is ICMP broadcasting good for?


    • Related Answers
  • Spiff

    The sysctl option you referenced (net.ipv4.icmp_echo_ignore_broadcasts) only deals with IPv4 ICMP echo broadcasts. ICMP echo messages are the messages used to implement the "ping" command-line tool. By ignoring broadcasts ICMP echo requests, your machine won't respond when someone tries to ping a broadcast address (such as 255.255.255.255, or, say, 192.168.1.255 on a 192.168.1.0/24 subnet) to find all the hosts on the subnet at the same time.

    This particular sysctl option shouldn't have any effect on being able respond to unicast pings sent directly to the unicast IP address of your machine. Also, this option is only for ICMP echo broadcasts, so it shouldn't have any effect on all the other uses of ICMP besides echoes.

  • Ruairi Fullam

    ICMP echo is more commonly known as ping, the simplest way to determine whether a networked system is responsive.

    By ignoring ICMP broadcasts, your system(s) will not respond to ping requests and at first glance will appear down or unavailable to anyone who didn't know otherwise.

    It is one way of hiding your system, but the next logical step for a determined intruder would be to perform a port scan.