Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCNP (Professional)
TTL filtering
Kreken
I would like to setup TTL filtering on my production edge routers. Since I can't really model the real traffic in GNS3, I would like to ask your opinion. What's better:
1. Drop all packets with ttl less than 10?
sample acl
deny ip any any ttl lt 10
permit ip any any
2. Drop all packets with just ttl 1 or 0?
sample acl2
deny ip any any ttl eq 0
deny ip any any ttl eq 1
permit any any
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
Met44
If you use the "1 or 0" ACL, people can't traceroute the hops immediately after where the ACL is applied, but they can still traceroute deeper inside your network. If you were tracing a server that is 4 hops past the ACL, there would just be a "no response" blip on one line of the traceroute output and you would still see the other hops on the way to the server. If you use the "less than X" ACL, and you have no more than 10 routed hops between the ACL and any destination inside your network, this kind of TTL attack is prevented from the outside.
TTL Expiry Attack Identification and Mitigation - Cisco Systems
See the "TTL expiry attacks" section. It actually recommends both methods: the "less than 10/15" on the trusted-to-untrusted boundary, and the "0 or 1" within the trusted network to help prevent internal scanning.
Kreken
thank you for the link.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
