Definition of a “Last Hop” in Networking
A last hop in networking is the final router that forwards your data before it reaches its destination. Think of it as the last postal sorting office before a letter is delivered to your door. In traceroute output, the last hop appears as the final visible IP address before the destination server. Understanding the last hop in networking helps you diagnose internet problems, learn about CDNs, and uncover hidden infrastructure.
For a broader understanding of network paths, see our traceroute beginner guide and what happens when you ping an unused IP address.
Simple Explanation Using a Delivery Route Analogy
Imagine you order a package from a warehouse in another city. The package travels through several distribution centers (hops). The last distribution center before the final delivery truck is the “last hop.” After that, a local courier (the destination server) takes over. Similarly, in networking, your data packet hops from router to router. The last hop is the final router that hands the packet to the destination network or server.
Difference Between a Hop and a Last Hop
- Hop – Any router along the path between your computer and the destination. A typical traceroute shows 10‑20 hops.
- Last hop – The specific router that is directly connected to the destination network. It is the final router that appears in traceroute before the destination (if the destination responds).
All last hops are hops, but not all hops are last hops.
How Data Packets Travel Across the Internet
Your data is split into small packets. Each packet contains the source IP (you) and destination IP (the server). Packets travel from router to router, each router deciding the next step based on routing tables. They may take different paths, but traceroute shows one representative path. The last hop is the router that knows exactly how to reach the destination’s local network.
Role of Routers in Packet Forwarding
Routers are specialized computers that connect networks. They examine each packet’s destination IP and forward it toward the correct direction. A router at a last hop has a direct route (often a single Ethernet link) to the destination server’s subnet. This router may be owned by the destination’s ISP, a cloud provider, or the destination company itself.
What Traceroute Reveals About Hops
Traceroute sends packets with increasing TTL (Time To Live) values. Each router that handles a packet before TTL expires sends back its IP. The result is a list of hop IPs, including the last hop. Traceroute also shows latency (in milliseconds) for each hop.
For a complete tutorial, see our traceroute beginner guide.
Difference Between Traceroute and Ping
| Tool | What It Shows |
|---|---|
| Ping | Whether the destination is alive, and round‑trip time. |
| Traceroute | Each hop along the path, including the last hop, with per‑hop latency. |
Ping is a yes/no test. Traceroute is a map.
Why the Last Hop Matters in Networking
The last hop matters because:
- It often reveals the final network before your data arrives (e.g., a CDN edge server, a cloud provider’s gateway).
- High latency or packet loss at the last hop indicates problems near the destination.
- A missing or hidden last hop can mean the destination blocks traceroute or uses private addressing.
- Security analysts monitor last hops to detect route hijacks or BGP anomalies.
Last Hop vs Final Destination Explained
- Last hop – The router that is directly connected to the destination’s network. It is a piece of infrastructure, not the final server.
- Final destination – The actual server (web server, game server, API endpoint) that your data is trying to reach.
The final destination may or may not respond to traceroute probes. If it does not, you will see the last hop and then timeouts.
How ISPs Route Traffic Before the Destination
Your ISP forwards your packets through its own network (local, regional, and backbone routers). Then, at a peering point or internet exchange, the packets enter the destination’s ISP or cloud provider. The last hop is typically the edge router of the destination’s network. After that, the packet travels inside that network to the final server.
ISP Edge Routers Explained
An edge router sits at the boundary between an ISP’s network and the rest of the internet. It connects to other ISPs, cloud providers, or large customers. In many traceroutes, the last hop is an edge router belonging to the destination’s provider (e.g., a Cloudflare edge router, an AWS gateway).
Datacenter Gateways and Edge Nodes
In a datacenter, the gateway router is the entry point from the internet. All traffic to servers inside that datacenter passes through this gateway. The gateway is often the last hop in traceroute. Edge nodes are similar but distributed – CDNs place edge nodes close to users, making them appear as last hops for many destinations.
CDN Edge Servers as Last Hops
Content Delivery Networks (CDNs) like Cloudflare, Akamai, and Fastly place edge servers around the world. When you request a website that uses a CDN, your traffic goes to the nearest edge server. That edge server acts as the last hop in traceroute. The actual origin server may be hundreds of miles away, hidden behind the CDN.
How Cloudflare and Akamai Affect Last Hops
Cloudflare and Akamai use Anycast routing. Many edge servers share the same IP address. Your traceroute will show the nearest edge server’s routers as the last hops. This makes the last hop appear geographically close to you, even if the origin server is far away. For example, traceroute to 1.1.1.1 (Cloudflare DNS) often shows a last hop in your own city.
Load Balancers and Hidden Infrastructure
Large websites use load balancers to distribute traffic across many servers. A load balancer may be the last hop visible in traceroute. The actual web servers are hidden behind it. This improves reliability and security.
Why Traceroute Sometimes Stops Before the Destination
Traceroute may end before reaching the destination because:
- The destination network blocks ICMP or UDP probes.
- A firewall on the last hop filters traceroute packets.
- The destination does not respond to the specific probe type (e.g., UDP traceroute to a server that does not send Port Unreachable).
- The max hop limit (usually 30) is reached before the destination.
If the website loads but traceroute stops early, the destination is simply ignoring traceroute.
ICMP Filtering Explained
ICMP is the protocol used by ping and traceroute. Many network administrators filter ICMP to reduce attack surface. When an edge router filters ICMP Time Exceeded or Port Unreachable messages, it will not appear in traceroute. Consequently, the last hop may be missing or appear as * * *.
Firewalls Blocking Last‑Hop Visibility
Firewalls at the destination’s network edge often drop traceroute probes silently. This means you will not see the final router or the destination server. Instead, traceroute will show a series of hops and then timeouts. The last visible hop before the timeouts is the last responding router, which may not be the true last hop.
MPLS Networks and Invisible Hops
Many ISPs use MPLS (Multiprotocol Label Switching). In MPLS, packets are forwarded based on labels, not IP addresses. Routers in the MPLS core do not decrement the IP TTL, so traceroute does not see them. The last hop you see may actually be several hops away from the true edge. MPLS makes the network simpler but hides internal topology.
Why Cloud Providers Hide Infrastructure
Cloud providers like AWS, Azure, and Google Cloud do not want customers to map their internal network. They filter ICMP and use MPLS to hide routers. Your traceroute to a cloud VM may show only a few hops, with the final hop being an edge router. The internal network is invisible. This is a deliberate security and design choice.
What “Request Timed Out” Means Near the Last Hop
* * * (Request timed out) near the end of traceroute means that the router did not reply to the probe. Common reasons:
- The router is configured to ignore traceroute.
- The probe packet was lost (congestion).
- A firewall dropped the packet.
If you see timeouts for several hops and then the destination, the destination itself may be replying. If only the final hop times out but the destination works, the last hop is hiding.
Silent Packet Dropping Explained
Silent dropping is when a router or firewall discards a packet without sending any error message back. This is common for ICMP probes. When a last hop silently drops your traceroute probes, you will see no reply. The packet still passes through, but you cannot see the router.
Difference Between Visible and Invisible Hops
- Visible hops – Respond to traceroute probes (ICMP Time Exceeded or Echo Reply). You see their IPs.
- Invisible hops – Do not respond. They may be MPLS routers, devices that filter ICMP, or simply unresponsive.
The true last hop could be invisible if the network is configured to hide it. This is normal in modern networks.
Public vs Private IP Addresses in Traceroute
- Public IP – Globally unique and routable. Most hops after the first have public IPs.
- Private IP – Reserved for internal networks (
10.x.x.x,192.168.x.x,172.16.x.x). If you see private IPs late in traceroute, your ISP is using CGNAT or the destination network uses private addressing internally (less common).
A last hop with a private IP suggests the destination is inside a private network reachable via NAT or VPN.
Carrier‑Grade NAT and Hidden Routing Layers
Carrier‑Grade NAT (CGNAT) allows ISPs to share one public IP among many customers. In CGNAT, you may see private IPs for several hops. The true last hop might be a CGNAT gateway, then the public internet. This adds an extra hidden layer.
Why Some Last Hops Belong to CDNs Instead of Servers
CDNs are designed to be the last hop before your data reaches the content. When you traceroute to a CDN‑hosted website, the last hop is the CDN’s edge server. The actual origin server is behind the CDN and never appears in traceroute. This improves performance and hides the origin.
How Large Companies Mask Their Real Servers
Large companies (Google, Facebook, Amazon) use reverse proxies and load balancers. Your traceroute ends at a proxy that then forwards your request internally. The proxy’s IP is the last hop. The real servers have private IPs and are invisible from the internet.
Last‑Hop Latency and Performance Analysis
The latency at the last hop is the round‑trip time from you to the edge of the destination’s network. This includes:
- Propagation delay (distance)
- Queuing delay (congestion)
- Processing delay (router CPU)
If the last‑hop latency is high, the problem is close to the destination. If it is low but your website still loads slowly, the issue is inside the destination’s network (beyond the last hop).
How Network Engineers Troubleshoot Using Last Hops
Engineers use traceroute to find where delays or losses occur. They compare latency from hop to hop. A jump in latency at the last hop may indicate a congested edge router. A sudden packet loss at the last hop that continues suggests a problem with the destination network. They also watch for route changes or unexpected last hops.
Diagnosing Slow Internet Connections
To diagnose slow internet:
- Run traceroute to a known fast site (e.g., your ISP’s speed test server).
- Look for the last hop before the destination.
- If latency spikes at a specific hop, that hop is congested.
- If the last hop shows high latency but earlier hops are fine, the problem is near the destination.
- If all hops are fine but the site is slow, the destination server itself may be overloaded.
Gaming Lag and Last‑Hop Congestion
Online games use specific server IPs. Run traceroute to the game server IP. If the last hop or the hop before it shows high latency or packet loss, that is where your lag comes from. Report the issue to your ISP if the problematic hop is within their network. If it is outside, you may need to use a gaming VPN to reroute traffic.
Packet Loss Near the Destination Explained
If traceroute shows packet loss (* * *) at the last hop and also at the destination, the loss is real and affects your connection. If loss appears at the last hop but not at the destination, it is likely that the last hop is simply not replying (ICMP filtering). Ignore loss that does not propagate to subsequent hops.
International Routing and Submarine Cable Effects
When your traffic crosses an ocean, the last hop may be in a different continent. The latency will be high (100‑200 ms). The last hop before the undersea cable is often on your side; after the cable, the first hop on the far side becomes the new last hop for that leg. The final last hop is near the destination server.
Geographic Clues from Last‑Hop IPs
You can often guess the location of a last hop by its IP address or reverse DNS name. For example, nyc indicates New York, lhr indicates London. However, IP geolocation is not always accurate. Use it as a hint, not a fact.
For more on unassigned and mysterious IPs, see our unassigned IPv4 addresses guide.
DNS Names and Reverse Lookups Explained
Traceroute performs a reverse DNS lookup on each hop IP. The resulting name often includes the router’s location and role. For a last hop, you might see edge-nyc.cloudflare.com or gateway-aws-us-east-1. These names help identify the network.
How BGP Routing Affects the Final Path
BGP (Border Gateway Protocol) is how routers decide which path to take. Your packets may cross multiple autonomous systems (ASes) before reaching the last hop. The last hop belongs to the AS of the destination’s network. BGP changes (e.g., a route leak) can make the last hop appear from a different AS than expected.
BGP Route Leaks and Strange Last Hops
A BGP route leak occurs when an ISP accidentally announces routes it should not. This can cause your traffic to take a strange path. The last hop might be in an unexpected country or belong to a different provider. Route leaks are rare but can cause high latency and weird traceroute results.
Security Implications of Exposing Last Hops
Revealing the last hop exposes the edge router of a network. Attackers can use this information to plan attacks (e.g., DDoS on that router). Therefore, many networks hide last hops by filtering ICMP. This is why you often see * * * instead of the final router.
Why Companies Intentionally Hide Network Topology
Companies hide internal routers, load balancers, and last hops to:
- Prevent network mapping by attackers.
- Reduce ICMP processing overhead.
- Keep their infrastructure design secret.
For these reasons, you should not assume that a missing last hop means a problem.
How Hackers Use Traceroute Reconnaissance
Attackers run traceroute to map target networks. They look for:
- Firewalls and edge routers (potential weak points).
- Load balancers (to understand server architecture).
- Private IPs (which might be reachable via misconfigurations).
- Unfiltered ICMP replies (indicating poor security).
Defenders hide last hops to make reconnaissance harder.
Ethical Considerations of Network Mapping
Mapping networks with traceroute is generally allowed for public destinations. However:
- Do not scan private networks without permission.
- Do not use traceroute to harass or disrupt.
- Respect rate limits (do not flood).
Using traceroute to learn networking is fine. Using it to attack is not.
Dark IP Space and “Mystery” Last Hops
Sometimes traceroute ends at an unassigned IPv4 address (bogon) or a private IP. This can be a:
- Honeypot (security trap).
- Internal router that leaked a private IP.
- Misconfigured edge device.
For a deep dive, see our unassigned IPv4 addresses pillar post.
What Happens When the Last Hop Never Responds
If the last hop never responds, traceroute will show timeouts for that hop and possibly for subsequent hops. This does not mean your data is not getting through. The router may be silently forwarding packets. If you can still reach the destination (e.g., a website loads), ignore the lack of response.
Last‑Hop Anomalies in Cloud Hosting
Cloud providers like AWS use elastic IPs and NAT gateways. The last hop you see may be a NAT gateway, not the actual server. The server’s real IP is private. This is normal and expected.
Internet Backbone Networks Explained
The internet backbone consists of high‑speed routers owned by Tier 1 ISPs (e.g., Lumen, NTT, Verizon). Your packets travel through backbone routers before reaching the last hop. Backbone routers are typically visible in traceroute (unless MPLS is used).
Role of Tier 1 ISPs in Final Routing
A Tier 1 ISP can reach any other network without paying transit. They often carry traffic across continents. The last hop before entering a CDN or cloud provider is often a Tier 1 router. After that, the packet enters the destination’s network.
Tor and VPN Effects on Last‑Hop Visibility
- VPN – Your traceroute goes to the VPN server first. The VPN server then sends traffic to the destination. The last hop you see is the VPN server’s outbound router, then the destination’s edge. The VPN hides your original path.
- Tor – Traceroute only reaches the first Tor relay. The rest of the path is hidden. Tor is not compatible with standard traceroute.
How VPNs Change Traceroute Results
When you use a VPN, your traceroute will show:
- Your home router
- Your ISP routers
- The VPN server’s IP
- Then, from the VPN server to the destination (including the destination’s last hop)
This adds extra hops and may increase latency. The VPN server’s location becomes part of the path.
IPv4 vs IPv6 Last‑Hop Behavior
- IPv4 – Last hops are typically public IPv4 addresses. Some networks hide them.
- IPv6 – Similar behavior, but IPv6 has more address space. Many networks are less aggressive about filtering ICMPv6 because it is used for Neighbor Discovery. You may see more last hops in IPv6.
Last Hops Inside Corporate Networks
Corporate networks often use private IP ranges internally. The last hop inside a corporate network may be a private IP (e.g., 10.0.0.1). From the outside, you would not see these hops because they are not reachable. Only hops on the public path are visible.
Examples of Real Traceroute Outputs
Example 1 – Cloudflare CDN last hop
text
10 15 ms 15 ms 14 ms edge-nyc.cloudflare.com [198.41.0.1] 11 16 ms 15 ms 16 ms [destination website IP]
Here, hop 10 is the last hop (CDN edge). Hop 11 is the destination (responds).
Example 2 – Hidden last hop
text
9 20 ms 20 ms 21 ms be-1.isp.net [203.0.113.5] 10 * * * Request timed out. 11 22 ms 22 ms 21 ms 93.184.216.34 (destination)
Hop 10 is a hidden router (does not reply). Hop 11 is the destination.
Example 3 – Firewall drops at last hop
text
12 25 ms 25 ms 26 ms edge-gateway.datacenter.com [198.51.100.10] 13 * * * Request timed out. 14 * * * Request timed out.
The last visible hop is hop 12. Hops 13 and 14 are silent. The destination is either behind a firewall or offline.
Step‑by‑Step Breakdown of a Traceroute Example
Take the Cloudflare example above:
- Hops 1‑9: Various routers (not shown). Latency gradually increases.
- Hop 10:
edge-nyc.cloudflare.com– This is the last hop before the destination. The latency is 15 ms, which is good. - Hop 11: The destination IP responds directly. The latency is similar (16 ms), indicating the final server is nearby.
Interpretation: The CDN edge server is in New York. The origin server is also close or the CDN is proxying.
Visualization Ideas for Packet Travel
To visualize the last hop:
- Draw a line from your computer to a cloud icon (the internet).
- Place dots for each router (hops).
- Mark the final dot before the destination server as the last hop.
- Show the destination server after the last hop.
An animated traceroute would show packets traveling from left to right, with TTL counting down.
Common Myths About Hidden Routers
| Myth | Truth |
|---|---|
| “Missing hops mean the router is down.” | It may be filtering ICMP or using MPLS. |
| “The last hop is always the destination server.” | No, it is the router before the server. |
| “If the last hop times out, your data is lost.” | Your data may still be passing through silently. |
| “Private IPs mean the network is insecure.” | Private IPs are normal for internal routing. |
Government and Military Reserved Infrastructure
The U.S. Department of Defense and other governments own large IPv4 blocks. Some of these addresses are used for internal networks and never announced to the public internet. If a traceroute ends at an IP in 6.0.0.0/8 or 11.0.0.0/8, it may be a military network. Those last hops are hidden from normal traceroute probes due to security.
Why Some Last Hops Appear in Different Countries
Geolocation databases are not perfect. A last hop IP may be registered in one country but physically located elsewhere. Also, some networks use anycast (same IP in multiple locations). Traceroute to an anycast IP may show a last hop near you, even if the IP’s registered country is far away.
CDN Geo‑Routing Explained
CDNs use geo‑routing to direct your request to the closest edge server. The edge server becomes the last hop. Geo‑routing uses DNS to return the IP of the nearest edge. This is why traceroute to a CDN website often shows a last hop in your country.
Last‑Hop Mysteries and Internet Folklore
Internet folklore includes stories of “phantom” last hops – routers that respond with strange data or appear in traceroute despite being unassigned. Some of these are honeypots, others are misconfigurations, and a few are unexplained. For a deep dive, see our unassigned IPv4 addresses pillar post.
Can Last Hops Reveal Physical Locations?
Sometimes. Reverse DNS names often include city codes. You can also estimate location by latency (e.g., 150 ms usually means transatlantic). However, do not rely on traceroute for precise geolocation. IP geolocation databases are often inaccurate, especially for cloud providers.
How Cybersecurity Researchers Analyze Routing Paths
Researchers use traceroute to:
- Detect BGP hijacks (unexpected last hops).
- Study internet censorship (where traffic is blocked).
- Map internet topology (which ISPs connect to each other).
- Monitor route leaks.
They collect traceroute data from many vantage points (e.g., using RIPE Atlas).
Tools for Exploring Network Hops Safely
- Command line traceroute – safe, built‑in.
- Online traceroute (web‑based) – use cautiously; avoid sensitive destinations.
- MTR – continuous traceroute, good for monitoring.
- Visual traceroute (e.g.,
traceroute -Aon Linux shows AS numbers).
Never use these tools to attack or scan networks without permission.
Beginner Troubleshooting Guide Using Traceroute
- Identify the destination IP (use
nslookupordig). - Run
traceroute [IP]. - Look for the last hop before the destination.
- Note latency at the last hop. If it is high (>100 ms), the destination is far or congested.
- If you see
* * *at the last hop but the destination replies, ignore it. - If you see packet loss at the last hop and no destination reply, the destination may be down or blocking you.
For more, see our traceroute beginner guide.
FAQ Section About Hops and Routing
Q: What is the last hop in simple terms?
The final router your data touches before reaching the destination server.
Q: Why does my traceroute show * * * at the last hop?
The router is configured not to reply to traceroute probes. Your data still goes through.
Q: Can the last hop be the same as the destination?
No. The destination is a server, not a router. However, some servers respond to traceroute, making them appear as a hop.
Q: How do I know if the last hop is the problem?
Check if latency at the last hop is much higher than previous hops. If it is, that router may be congested. If the website still loads, it may not be a problem.
Q: Why does the last hop change sometimes?
Load balancing, BGP changes, or using a different CDN edge can change the last hop.
Q: Does a VPN hide my last hop from the destination?
Your VPN server becomes the source. The destination sees the VPN server’s IP, not yours. The last hop from the VPN server to the destination is visible to the destination.
Q: Can I use traceroute to find someone’s exact location?
Not exactly. You can get a rough region (city/state) from hostnames, but not a street address.
Glossary of Networking Terms
- Anycast – A routing method where multiple servers share the same IP; traffic goes to the nearest one.
- AS (Autonomous System) – A network under a single organization (e.g., an ISP).
- BGP (Border Gateway Protocol) – The routing protocol that exchanges routes between ASes.
- CDN (Content Delivery Network) – A network of edge servers that deliver content quickly.
- Edge router – A router at the boundary between networks.
- Hop – One router along the path.
- ICMP (Internet Control Message Protocol) – The protocol used by ping and traceroute.
- Latency – Delay, measured in milliseconds.
- Last hop – The final router before the destination server.
- MPLS (Multiprotocol Label Switching) – A technique that hides internal routers.
- Packet – A small unit of data sent over a network.
- Peering – Two ISPs exchanging traffic directly without payment.
- Reverse DNS – Looking up a domain name from an IP address.
- Route leak – Accidental announcement of routes, causing traffic to take strange paths.
- Traceroute – Tool that maps the path of packets.
- TTL (Time To Live) – A counter that prevents packets from looping forever.
Final Summary – What the “Last Hop” Really Tells You
The last hop in networking is the final router on the path from you to a destination. It reveals the edge of the destination’s network, often a CDN edge server, a cloud provider’s gateway, or an ISP’s edge router. By analyzing the last hop, you can diagnose latency, spot congestion, and understand how content is delivered. However, many networks hide their last hops for security and performance reasons. A missing last hop or a timeout does not mean failure – it often means the network is simply not responding to probes.
Understanding the last hop gives you a window into the invisible machinery of the internet. From CDNs to BGP, from MPLS to ICMP filtering, the last hop is where your data crosses the final frontier before arriving at its destination. The next time you run a traceroute, look for that last hop. It has a story to tell.
For deeper exploration, see our traceroute beginner guide, what happens when you ping an unused IP address, and unassigned IPv4 addresses pillar post.
