[Snort-devel] TTL Evasion

Jason security at ...1585...
Sun Sep 22 10:02:02 EDT 2002


I think that there is value in logging changes in ttl by session.

In concept I think it is useful to alert if ttl variance per session is 
outside a configurable range but upon alerting setting the ref ttl to 
the new value to minimize constant alerts. The information can be quite 
useful if you suspect session and / or route hijacking. Adding the 
ability to tag and log for x packets could even aid in catching the 
injection attacks common in this sceneraio when doing analysis later if 
needed.

If you further add to that configurable variances by last hop according 
to MAC then I think you would have a way to account for local topology 
variances while still looking for questionable external variances.

Jason.

Sam Ng wrote:
> Here is the code for TTL Evasion
> 
> ###############
> if(s4data.ttl_limit)
> {
>     if(ssn->ttl)
>     { /* have we already set a client ttl? */
> 	if(abs(ssn->ttl - p->iph->ip_ttl) >= s4data.ttl_limit)
> 	{
> 	    SetEvent(&event, GENERATOR_SPP_STREAM4, 
> 		     STREAM4_TTL_EVASION, 1, 0, 5, 0);
> 	    CallAlertFuncs(p, "spp_stream4: TTL EVASION (reassemble)"
> 		   " detection", NULL, &event);
> 	    CallLogFuncs(p, "spp_stream4: TTL EVASION (reassemble) "
> 		 "detection", NULL, &event);
> 	     /* throw away this stuff so we will still see the real
> attack */
> 	    return;
> 	}
>     } 
>     else  
>     {
> 	ssn->ttl = p->iph->ip_ttl; /* first packet we've seen, lets go
> ahead and set it. */
>     }
> }
> ###############
> 
> I think may be we should not detect the variation in the TTL, instead,
> may be we should be alerted only if the ip_ttl is very small, say 1 or
> 2, cause this is the case the TCP reassemble will be out of sync with
> the destination (or being confused).
> 
> Anyway, the ttl_limit default is 5, which is quite small, IP packets in
> the same TCP session may travel via different paths, or even different
> countries.
> 
> I suggest to change the code as follows:
> 
> Ttl_limit default = 2
> if(abs(ssn->ttl - p->iph->ip_ttl) >= s4data.ttl_limit) 
> ==> chagne to ==> 
> if ( ip->iph->ip_ttl <= s4data.ttl_limit )
> 





More information about the Snort-devel mailing list