Using Nmap's traceroute option shows only one hop and is extremely fast. I understand it works differently than traceroute in that it tries to guess the right TTL instead of beginning with 1. But why is the RTT so fast? I have repeated this 10 times and the RTT is always in the range of 0.02 - 0.03 ms.
# nmap -Pn -T4 --traceroute xxx.xxx.xxx.xxx
Starting Nmap 6.40 ( ) at 2019-06-25 12:25 PDT
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.00013s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
<redacted>
TRACEROUTE (using port 113/tcp)
HOP RTT ADDRESS
1 0.03 ms xxx.xxx.xxx.xxx
Nmap done: 1 IP address (1 host up) scanned in 4.74 secondsUsing standard traceroute -T shows 8 hops. Repeating this 10 times shows a final RTT range between 0.77 - 1.20 ms. Both servers are on fast dedicated internet within 10 miles of each other, but 0.03 ms RTT seems unrealistic considering router processing time.
1 Answer
Your logs show that Nmap's traceroute works by sending TCP probes to port 113 (ident service). My guess is that your server's firewall, for some reason, blocks outgoing connections to that port – and it does so by faking a TCP RST, which Nmap interprets as a regular response to the probe. (Because it would indeed have received a TCP RST from the final hop, in most cases.)
Compare with traceroute --tcp=113.
Rejecting incoming Ident connections is normal. Doing the same for outgoing connections, however, is almost always completely useless. (Cargo-culting firewall rules?)
