TTL filtering

KrekenKreken Posts: 284Member
I would like to setup TTL filtering on my production edge routers. Since I can't really model the real traffic in GNS3, I would like to ask your opinion. What's better:

1. Drop all packets with ttl less than 10?
sample acl
deny ip any any ttl lt 10
permit ip any any

2. Drop all packets with just ttl 1 or 0?
sample acl2
deny ip any any ttl eq 0
deny ip any any ttl eq 1
permit any any

Comments

  • Met44Met44 Posts: 194Member
    If you use the "1 or 0" ACL, people can't traceroute the hops immediately after where the ACL is applied, but they can still traceroute deeper inside your network. If you were tracing a server that is 4 hops past the ACL, there would just be a "no response" blip on one line of the traceroute output and you would still see the other hops on the way to the server. If you use the "less than X" ACL, and you have no more than 10 routed hops between the ACL and any destination inside your network, this kind of TTL attack is prevented from the outside.

    TTL Expiry Attack Identification and Mitigation - Cisco Systems

    See the "TTL expiry attacks" section. It actually recommends both methods: the "less than 10/15" on the trusted-to-untrusted boundary, and the "0 or 1" within the trusted network to help prevent internal scanning.
  • KrekenKreken Posts: 284Member
    thank you for the link.
Sign In or Register to comment.