[Snort-devel] TTL Evasion

Sam Ng sng at ...1047...
Wed Sep 18 23:51:02 EDT 2002


Here is the code for TTL Evasion

###############
if(s4data.ttl_limit)
{
    if(ssn->ttl)
    { /* have we already set a client ttl? */
	if(abs(ssn->ttl - p->iph->ip_ttl) >= s4data.ttl_limit)
	{
	    SetEvent(&event, GENERATOR_SPP_STREAM4, 
		     STREAM4_TTL_EVASION, 1, 0, 5, 0);
	    CallAlertFuncs(p, "spp_stream4: TTL EVASION (reassemble)"
		   " detection", NULL, &event);
	    CallLogFuncs(p, "spp_stream4: TTL EVASION (reassemble) "
		 "detection", NULL, &event);
	     /* throw away this stuff so we will still see the real
attack */
	    return;
	}
    } 
    else  
    {
	ssn->ttl = p->iph->ip_ttl; /* first packet we've seen, lets go
ahead and set it. */
    }
}
###############

I think may be we should not detect the variation in the TTL, instead,
may be we should be alerted only if the ip_ttl is very small, say 1 or
2, cause this is the case the TCP reassemble will be out of sync with
the destination (or being confused).

Anyway, the ttl_limit default is 5, which is quite small, IP packets in
the same TCP session may travel via different paths, or even different
countries.

I suggest to change the code as follows:

Ttl_limit default = 2
if(abs(ssn->ttl - p->iph->ip_ttl) >= s4data.ttl_limit) 
==> chagne to ==> 
if ( ip->iph->ip_ttl <= s4data.ttl_limit )

Regards,

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Sam NG
Doctor A Security Systems (HK) Ltd.
708 Millennium City 2
378 Kwuntong Road
Kowloon
HONG KONG
Tel: +852 2342-4355
Fax: +852 2342-4310
Email: sng at ...1047... 





More information about the Snort-devel mailing list