[Snort-sigs] SID 1321 Rule Description

Ryan Hill rhill at ...290...
Wed Jan 23 12:24:15 EST 2002

Rule: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC 0 ttl";
ttl:0; sid:1321; classtype:misc-activity; rev:4;) 

Sid: 1321

Summary: This alert triggers based on the detection of IP datagrams
containing a time-to-live value set to 0.  This should not occur during
normal IP communications.

Impact: Any application using the IP protocol, requiring packet analysis to
determine severity.  

Detailed Information: 
In IP communications, the time-to-live, or TTL field is used to provide
limited distance communication for performance optimization and route
determinations.  During normal IP communications, the TTL field is
initialized at a variable high number and decremented by 1 for every router
that the packet moves through until reaching 0.  

A device receiving an IP datagram with a TTL of 0 may not relay the packet
any further, but will process the packet locally if it meets relevant IP
addressing criteria.  See RFC 1122 for more information regarding TTL values
and the specifications covering their use.

TTL 0 packets have been implemented in several applications that essentially
generate multicast packets destined for the local machine.  These packets
would never be forwarded to the network, but instead processed locally.

Attack Scenarios: 
System Probing, Corrupted IP Traffic or Exploit Attempts

Ease of Attack: 
Network exploit attempts using this method would be difficult because the
attacker would need to be on the same subnet (no routers), traversing a
non-RFC compliant router or directly connected to the target (console) in
order for the packets to arrive at their destination.  Most IP
implementations would not allow a TTL=0 packet to be forwarded on the
network, so a packet crafting tool would be necessary.
False Positives:
False Negatives:
Corrective Action:
Packet Filter for TTL=0.

Contributors: Ryan Hill, rhill at ...290...

More information about the Snort-sigs mailing list