Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Expired-TTL attack.

Expired-TTL attack.

Latest reply: Aug 25, 2018 01:59:40 1733 5 2 0 0
display all floors #1

When receiving an IP packet of which the TTL value is 1, the device sends this packet to the CPU. Traceroute is to use the packet with TTL value 1 to detect a link hop-by-hop. An attacker may send a large number of IP packets with TTL value 1 to a network device. Then the device's CPU is busy processing these packets and sends many ICMP unreachable packets to the sender. The CPU usage of the device keeps high. The following procedure help us to discover the IP address and MAC address from the device that is sending the ttl-expired packages, so we can take proper actions to fix the problem:


 

1.      Clear statistics on the TTL Expired packets sent to the CPU.

[Huawei] reset cpu-defend statistics packet-type ttl-expired

 

2.      Wait for one minute and view statistics about the TTL Expired packets sent to the CPU again.

[Quidway] display cpu-defend statistics packet-type ttl-expired

Statistics on slot 2:

-----------------------------------------------------------------------------------------------------------------

Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)

-----------------------------------------------------------------------------------------------------------------

ttl-expired            40800      35768          600          52600

-----------------------------------------------------------------------------------------------------------------

3.      View the number of passing and discarded packets. If many packets are sent to the CPU or discarded, a TTL Expired packet attack may occur.

4.      Configure auto-defend to identify the attack source.

#

cpu-defend policy test

 auto-defend enable

auto-defend threshold 30  //The device sending packets of which the rate exceeds 30 pps is considered attack source.

auto-defend trace-type source-mac source-ip  //Identify attack source based on source MAC or IP addresses.

auto-defend protocol ttl-expired  //Identify only TTL-Expired packet attacks.

#

 

cpu-defend-policy test

quit

cpu-defend-policy test global

#

Run the command to view attack source information:

[Quidway] display auto-defend attack-source

  Attack Source User Table (MPU):

  -----------------------------------------------------------------------------------------------

   MacAddress       InterfaceName      Vlan:Outer/Inner      TOTAL

  -----------------------------------------------------------------------------------------------

  0000-0000-0001   GigabitEthernet5/0/0         500            310

  -----------------------------------------------------------------------------------------------

  Total: 1

 

  Attack Source IP Table (MPU):

  -------------------------------------------------------

   IPAddress        TOTAL Packets

  -------------------------------------------------------

  50.1.1.3         310

  -------------------------------------------------------

  Total: 1 

 

 Basing on the IP and MAC address, take proper actions like disconnecting the attacking device from the network.



This post was last edited by RubenMonroy at 2018-08-16 17:35.
  • x
  • convention:

Like (2) Dislike (0) Favorite(0) Share Report
Previous: AR router not advertise ipv6 Getaway to PC
Next: NE20E cannot login with SSH
Gabo
Created Aug 23, 2018 18:03:54

Nice sharing Sr Ruben, many thanks for the information.
View more
  • x
  • convention:
xelamaster69
Created Aug 23, 2018 20:12:59

Thanks about how does TTL works.
View more
  • x
  • convention:
emontiel
Created Aug 24, 2018 15:06:32

Awesome! It's always good to know different kind of attacks and how to mitigate them.
It's very well explained thanks for sharing!!
View more
  • x
  • convention:
JorgeZC
Created Aug 24, 2018 15:06:35

Thanks for sharing, useful information regarding TTL :)
View more
  • x
  • convention:
No.9527
Created Aug 25, 2018 01:59:40

good document, it is useful for me with the cpu-defend
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.