TTL Manipulation

When traffic traverses your network, each hop (routing device) decreases a packet's Time to Live (TTL) value. If this value reaches 0 before the packet reaches its destination, the packet is discarded, and an Internet Control Message Protocol (ICMP) error message is sent to the originating host.

An attacker can launch an attack that includes bogus packets with smaller TTL values than the packets that make up the real attack. If your network-based sensor sees all of the packets but the target host only sees the actual attack packets, the attacker has managed to distort the information that the sensor uses, causing the sensor to potentially miss the attack (since the bogus packets distort the information being processed by the sensor). Figure 8-2 illustrates this attack. The bogus packets start with a TTL of 3, whereas the real attack packets start with a TTL of 7. The sensor sees both sets of packets, but the target host sees only the real attack packets.

Figure 8-2. Variable TTL Attack

Figure 8-2. Variable TTL Attack

Although this attack is possible, it is very difficult to execute because it requires a detailed understanding of the network topology and location of IPS sensors. Furthermore, many network devices (such as firewalls and inline IP sensors) prevent these types of attacks by normalizing the TCP streams running through them. For instance, the Cisco IPS sensors (running 5.0 software) can monitor a TCP stream (when running in inline mode) and then rewrite the outgoing TTL values to match the lowest TTL value seen on the TCP stream. This prevents an attacker from executing a TTL manipulation attack since either all of the packets will reach the target or none of the packets will (since they all leave the sensor with the same TTL, regardless of what the TTL is on the inbound packet).

+1 0

Responses

  • HANNELE
    What device decreases the TTL value whenever a packet traverses it?
    10 months ago

Post a comment