TTL Match - WTF?
Joakim Axelsson
gozem@aaricia.hemmet.chalmers.se
Thu, 18 Oct 2001 14:47:08 +0200 (CEST)
On Thu, 18 Oct 2001, James Stevenson wrote:
> Hi
>
>
> > How is matching TTL useful in firewalling/packet filtering? My collegues
> > and myself cannot think of a situation where this might be useful. Any
> > insight is appreciated.
>
> i can think of at least 1 place of use
>
> say you have a machine with a large link on it serving lots of smaller links
> and networks as a firewall to the internet. which may also be serving other
> networks
>
> eg THENET -> firewall -> neta
> \-> netb
> \-> netba
> \-> netbb
> \-> netc
> now on the firewall you could filter packets going to netaa / netbb
> if the TTL is less than 2 because the packet is going to get dropped
> before it reaches netaa or netbb though it could be also nice to send
> a faked icmp TTL: expired packet from the firewall to say it did not reach.
>
> think of this on a larger scale and it could work better if the finall links
> are small and almost always overloaded (every little bit helps)
>
> only 1 idea i only just tough of off the top of my head but there could be
> others as well.
>
> James
>
You can also stop traceroutes and other utils tampering with the TTL.
--
/Gozem A.K.A. Joakim Axelsson