TTL Match - WTF?

Joakim Axelsson gozem@aaricia.hemmet.chalmers.se
Thu, 18 Oct 2001 14:47:08 +0200 (CEST)


On Thu, 18 Oct 2001, James Stevenson wrote:

> Hi
> 
> 
> > How is matching TTL useful in firewalling/packet filtering?  My collegues
> > and myself cannot think of a situation where this might be useful.  Any
> > insight is appreciated.
> 
> i can think of at least 1 place of use
> 
> say you have a machine with a large link on it serving lots of smaller links
> and networks as a firewall to the internet. which may also be serving other
> networks
> 
> eg THENET -> firewall -> neta
>                                     \-> netb
>                                               \-> netba
>                                               \-> netbb
>                                     \-> netc
> now on the firewall you could filter packets going to netaa / netbb
> if the TTL is less than 2 because the packet is going to get dropped
> before it reaches netaa or netbb though it could be also nice to send
> a faked icmp TTL: expired packet from the firewall to say it did not reach.
> 
> think of this on a larger scale and it could work better if the finall links
> are small and almost always overloaded (every little bit helps)
> 
> only 1 idea i only just tough of off the top of my head but there could be
> others as well.
> 
>     James
> 

You can also stop traceroutes and other utils tampering with the TTL.

-- 
/Gozem A.K.A. Joakim Axelsson