Why traceroute sends UDP packets and not ICMP ones?

Question

According to the Stevens (TCP/IP Illustrated) the traceroute program sends UDP packets to the destination host with an incremental TTL (1, 2, 3, etc) to get the intermediate hops info from the ICMP TTL EXPIRED messages.

The "destination reached" condition is an ICMP PORT UNREACHABLE message, because traceroute addresses a random port with an high number (that is: unlikely someone is listening there).

So my question is, is there a technical reason (drawbacks, RFCs, etc.) to use UDP packets rather than using, for instance, ICMP echo request messages (with increasing TTL) and use the echo reply answer as the end condition?

I understand that the ICMP echo reply might be filtered out by firewalls or other net devices in the middle, but I guess this can happen also to UDP packets.

Answer 1

I was insanely jealous when Van Jacobson of LBL used my kernel ICMP support to write TRACEROUTE, by realizing that he could get ICMP Time-to-Live Exceeded messages when pinging by modulating the IP time to life (TTL) field. I wish I had thought of that! :-) Of course, the real traceroute uses UDP datagrams because routers aren't supposed to generate ICMP error messages for ICMP messages.

source: https://ftp.arl.army.mil/~mike/ping.html

Answer 2

It's actually the "old" method of doing traceroutes. I guess the main motivation was that sending out plain UDP packets requires no special privileges, as sending ICMP packets does (raw sockets or the equivalent). That's why e.g. ping is usually setuid to root, which is a big risk security-wise.

Nowadays traceroute supports ICMP and TCP probe packets as well, so you're more likely can sneak through firewalls, which are more likely than not deployed without consideration. This also means that traceroute is likely also setuid root on your system. See its man page, especially the part about available methods: http://linux.die.net/man/8/traceroute