Detecting Zero TTL Traffic

As with TCP and UDP port 0, it is possible to put a packet on the wire with a zero TTL value. Although such a packet should never be forwarded by a device that routes IP packets, a system can send such packets against any other system that is connected by means of a layer two device (such as a switch or bridge).

Snort rule ID 1321 detects IP packets that have the TTL value set to zero (shown in bold), and a corresponding iptables message appears below, as shown here:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,\;EN-US\;q138268; reference:url,; classtype:misc-activity; sid:1321; psad_id:100104; psad_dl:2;)

An iptables log message that contains the value 0 in the TTL field will trigger this signature in psad, containing TTL=0, as shown in bold:

Jul 14 15:33:28 iptables kernel: IN=eth1 OUT= MAC=00:13:46:3a:41:4b:00:13:46: c2:60:44:08:00 SRC= DST= LEN=104 TOS=0x00 PREC=0x00 TTL=0 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1830 SE0=15412 Jul 14 15:33:31 iptablesfw psad: src: signature match: "BAD-TRAFFIC 0 ttl" (sid: 1321) ip

Was this article helpful?

0 0

Post a comment