Using Nmap's traceroute option shows only one hop and is extremely fast. I understand it works differently than traceroute in that it tries to guess the right TTL instead of beginning with 1. But why is the RTT so fast? I have repeated this 10 times and the RTT is always in the range of 0.02 - 0.03 ms.
# nmap -Pn -T4 --traceroute xxx.xxx.xxx.xxx Starting Nmap 6.40 ( ) at 2019-06-25 12:25 PDT Nmap scan report for xxx.xxx.xxx.xxx Host is up (0.00013s latency). Not shown: 991 filtered ports PORT STATE SERVICE <redacted> TRACEROUTE (using port 113/tcp) HOP RTT ADDRESS 1 0.03 ms xxx.xxx.xxx.xxx Nmap done: 1 IP address (1 host up) scanned in 4.74 seconds Using standard traceroute -T shows 8 hops. Repeating this 10 times shows a final RTT range between 0.77 - 1.20 ms. Both servers are on fast dedicated internet within 10 miles of each other, but 0.03 ms RTT seems unrealistic considering router processing time.
1 Answer
Your logs show that Nmap's traceroute works by sending TCP probes to port 113 (ident service). My guess is that your server's firewall, for some reason, blocks outgoing connections to that port – and it does so by faking a TCP RST, which Nmap interprets as a regular response to the probe. (Because it would indeed have received a TCP RST from the final hop, in most cases.)
Compare with traceroute --tcp=113.
Rejecting incoming Ident connections is normal. Doing the same for outgoing connections, however, is almost always completely useless. (Cargo-culting firewall rules?)