This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Enterprise
Community Forums Switches
Expired-TTL attack.

Expired-TTL attack.

Latest reply: Aug 25, 2018 01:59:40 854 5 2 0
display all floors #1

When receiving an IP packet of which the TTL value is 1, the device sends this packet to the CPU. Traceroute is to use the packet with TTL value 1 to detect a link hop-by-hop. An attacker may send a large number of IP packets with TTL value 1 to a network device. Then the device's CPU is busy processing these packets and sends many ICMP unreachable packets to the sender. The CPU usage of the device keeps high. The following procedure help us to discover the IP address and MAC address from the device that is sending the ttl-expired packages, so we can take proper actions to fix the problem:


 

1.      Clear statistics on the TTL Expired packets sent to the CPU.

[Huawei] reset cpu-defend statistics packet-type ttl-expired

 

2.      Wait for one minute and view statistics about the TTL Expired packets sent to the CPU again.

[Quidway] display cpu-defend statistics packet-type ttl-expired

Statistics on slot 2:

-----------------------------------------------------------------------------------------------------------------

Packet Type         Pass(Bytes)  Drop(Bytes)   Pass(Packets)   Drop(Packets)

-----------------------------------------------------------------------------------------------------------------

ttl-expired            40800      35768          600          52600

-----------------------------------------------------------------------------------------------------------------

3.      View the number of passing and discarded packets. If many packets are sent to the CPU or discarded, a TTL Expired packet attack may occur.

4.      Configure auto-defend to identify the attack source.

#

cpu-defend policy test

 auto-defend enable

auto-defend threshold 30  //The device sending packets of which the rate exceeds 30 pps is considered attack source.

auto-defend trace-type source-mac source-ip  //Identify attack source based on source MAC or IP addresses.

auto-defend protocol ttl-expired  //Identify only TTL-Expired packet attacks.

#

 

cpu-defend-policy test

quit

cpu-defend-policy test global

#

Run the command to view attack source information:

[Quidway] display auto-defend attack-source

  Attack Source User Table (MPU):

  -----------------------------------------------------------------------------------------------

   MacAddress       InterfaceName      Vlan:Outer/Inner      TOTAL

  -----------------------------------------------------------------------------------------------

  0000-0000-0001   GigabitEthernet5/0/0         500            310

  -----------------------------------------------------------------------------------------------

  Total: 1

 

  Attack Source IP Table (MPU):

  -------------------------------------------------------

   IPAddress        TOTAL Packets

  -------------------------------------------------------

  50.1.1.3         310

  -------------------------------------------------------

  Total: 1 

 

 Basing on the IP and MAC address, take proper actions like disconnecting the attacking device from the network.



This post was last edited by RubenMonroy at 2018-08-16 17:35.
  • x
  • convention:

Helpful (2) Favorite(0) Share Report
Gabo
Created Aug 23, 2018 18:03:54 Helpful(1) Helpful(1)

Nice sharing Sr Ruben, many thanks for the information.
  • x
  • convention:
#When you want to succed as much as you want to breathe, then you'll be successful.
xelamaster69
Created Aug 23, 2018 20:12:59 Helpful(0) Helpful(0)

Thanks about how does TTL works.
  • x
  • convention:
emontiel
Created Aug 24, 2018 15:06:32 Helpful(0) Helpful(0)

Awesome! It's always good to know different kind of attacks and how to mitigate them.
It's very well explained thanks for sharing!!
  • x
  • convention:
JorgeZC
Created Aug 24, 2018 15:06:35 Helpful(0) Helpful(0)

Thanks for sharing, useful information regarding TTL :)
  • x
  • convention:
No.9527
Created Aug 25, 2018 01:59:40 Helpful(0) Helpful(0)

good document, it is useful for me with the cpu-defend
  • x
  • convention:
Back to list

Comment

Reply
Advanced
B Color Image Link Quote Code Smilies
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy Terms of Use
Huawei Enterprise Huawei Carrier Forum Training & Certification

Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.

APP