networking - Why do some host disable ICMP Time Exceeded (Type 11) messages?

06
2014-04
  • Kent Pawar

    While doing a traceroute for different servers, at times I find some host do not return ICMP 'Time to live exceeded in transit' (Type 11) messages and so I see a "* * *" instead of the server name and statistics..

    Is this done just to conserve bandwidth or is it a means to be invisible to devices outside its network..?

    So basically is there some advantages in appearing invisible in the traceroute output that would outweigh the con of not being able to perform diagnostics using traceroute?

    The question 'What are reasons to disallow ICMP on my server?' has some good answers but doesn't justify why some folks disable ICMP Echo Reply, which is quite common at least to my observation.

    • Answers
  • Hennes

    In the past this was done because a few worms used ping/ICMP_echo_request to check if there was a potential target before trying to infect it. Blocking this was a crude counter measure.

    This is the mean reason why it is still recommended in some manuals.

    A secondary reason is because some people do not want others to easily detect their internal network structure. This is a form of security by obscurity, but sadly one which is often used in place of proper measures.

  • AthomSfere

    Ping and Traceroute can be used as information gathering devices, there are various reasons why you would not want this known, including security. The more difficult it is to gather basic information the more secure a network is. It is far from fool proof, but it is a simple measure to add another layer of security.


    • Related Question

    networking - Finding all ICMP enabled Hosts on Local Subnet
  • divinci

    I am a host in a 255.255.255.0 subnet - conforming to RFC1918.

    What ways are possible (without iterating over the 254 addresses) to map the IPEndPoints in my local subnet?


    • Related Answers
  • quack quixote

    nik is close; you do need to ping the broadcast, but not all systems will respond directly.

    Note the broadcast address is not the same as your network address. If your IP is 192.168.1.42, and your netmask is 255.255.255.0, then your network address is 192.168.1.0 and your network broadcast address is 192.168.1.255.

    1. Ping the broadcast of your network:

      • Linux: ping 192.168.1.255 -b
      • WinXP: ping 192.168.1.255

    2. Check the ARP cache for responses:

      • Linux: arp
      • WinXP: arp -a

    Oddly enough, I get responses from a Win-7 machine on my network when pinging the broadcast address, but no one else's responses show up. There are 4 devices on my network (router, XP, Win7, debian); all 3 remote machines are listed correctly in the arp output when I ran the above commands on both the Debian and WinXP systems.

  • nik

    If you send a broadcast ping with,

    ping network_address -b

    where network_address is your 255.255.255.0 equivalent class-c network.
    All the endpoints will reply to you.
    You then just have to extract unique individual responding IP addresses from the output.

    This means, if your IP address is 192.168.1.42 in a Class-C network.
    You would do a ping 192.168.1.0 -b and look at (say) a minute worth of output.
    All connected end-points in the network will reply to this broadcast address.