Options
TTL filtering
Kreken
Member Posts: 284
I would like to setup TTL filtering on my production edge routers. Since I can't really model the real traffic in GNS3, I would like to ask your opinion. What's better:
1. Drop all packets with ttl less than 10?
sample acl
deny ip any any ttl lt 10
permit ip any any
2. Drop all packets with just ttl 1 or 0?
sample acl2
deny ip any any ttl eq 0
deny ip any any ttl eq 1
permit any any
1. Drop all packets with ttl less than 10?
sample acl
deny ip any any ttl lt 10
permit ip any any
2. Drop all packets with just ttl 1 or 0?
sample acl2
deny ip any any ttl eq 0
deny ip any any ttl eq 1
permit any any
Comments
-
Options
Met44
Member Posts: 194
If you use the "1 or 0" ACL, people can't traceroute the hops immediately after where the ACL is applied, but they can still traceroute deeper inside your network. If you were tracing a server that is 4 hops past the ACL, there would just be a "no response" blip on one line of the traceroute output and you would still see the other hops on the way to the server. If you use the "less than X" ACL, and you have no more than 10 routed hops between the ACL and any destination inside your network, this kind of TTL attack is prevented from the outside.
TTL Expiry Attack Identification and Mitigation - Cisco Systems
See the "TTL expiry attacks" section. It actually recommends both methods: the "less than 10/15" on the trusted-to-untrusted boundary, and the "0 or 1" within the trusted network to help prevent internal scanning.