Expired-TTL attack.

Created Aug 17, 2018 01:30:56Latest reply Aug 25, 2018 09:59:40 522 5 2 0

When receiving an IP packet of which the TTL value is 1, the device sends this packet to the CPU. Traceroute is to use the packet with TTL value 1 to detect a link hop-by-hop. An attacker may send a large number of IP packets with TTL value 1 to a network device. Then the device's CPU is busy processing these packets and sends many ICMP unreachable packets to the sender. The CPU usage of the device keeps high. The following procedure help us to discover the IP address and MAC address from the device that is sending the ttl-expired packages, so we can take proper actions to fix the problem:


 

1.      Clear statistics on the TTL Expired packets sent to the CPU.

[Huawei] reset cpu-defend statistics packet-type ttl-expired

 

2.      Wait for one minute and view statistics about the TTL Expired packets sent to the CPU again.

[Quidway] display cpu-defend statistics packet-type ttl-expired

Statistics on slot 2:

-----------------------------------------------------------------------------------------------------------------

Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)

-----------------------------------------------------------------------------------------------------------------

ttl-expired            40800      35768          600          52600

-----------------------------------------------------------------------------------------------------------------

3.      View the number of passing and discarded packets. If many packets are sent to the CPU or discarded, a TTL Expired packet attack may occur.

4.      Configure auto-defend to identify the attack source.

#

cpu-defend policy test

 auto-defend enable

auto-defend threshold 30  //The device sending packets of which the rate exceeds 30 pps is considered attack source.

auto-defend trace-type source-mac source-ip  //Identify attack source based on source MAC or IP addresses.

auto-defend protocol ttl-expired  //Identify only TTL-Expired packet attacks.

#

 

cpu-defend-policy test

quit

cpu-defend-policy test global

#

Run the command to view attack source information:

[Quidway] display auto-defend attack-source

  Attack Source User Table (MPU):

  -----------------------------------------------------------------------------------------------

   MacAddress       InterfaceName      Vlan:Outer/Inner      TOTAL

  -----------------------------------------------------------------------------------------------

  0000-0000-0001   GigabitEthernet5/0/0         500            310

  -----------------------------------------------------------------------------------------------

  Total: 1

 

  Attack Source IP Table (MPU):

  -------------------------------------------------------

   IPAddress        TOTAL Packets

  -------------------------------------------------------

  50.1.1.3         310

  -------------------------------------------------------

  Total: 1 

 

 Basing on the IP and MAC address, take proper actions like disconnecting the attacking device from the network.



This post was last edited by RubenMonroy at 2018-8-17 01:35.
  • x
  • convention:

Gabo  Moderator   Created Aug 24, 2018 02:03:54 Helpful(1) Helpful(1)

Nice sharing Sr Ruben, many thanks for the information.
  • x
  • convention:

#When you want to succed as much as you want to breathe, then you'll be successful.
xelamaster69  Novice   Created Aug 24, 2018 04:12:59 Helpful(0) Helpful(0)

Thanks about how does TTL works.
  • x
  • convention:

emontiel     Created Aug 24, 2018 23:06:32 Helpful(0) Helpful(0)

Awesome! It's always good to know different kind of attacks and how to mitigate them.
It's very well explained thanks for sharing!!
  • x
  • convention:

JorgeZC  Novice   Created Aug 24, 2018 23:06:35 Helpful(0) Helpful(0)

Thanks for sharing, useful information regarding TTL :)
  • x
  • convention:

No.9527  Mentor   Created Aug 25, 2018 09:59:40 Helpful(0) Helpful(0)

good document, it is useful for me with the cpu-defend
  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top