What is the TTL expiry attack?

Overview

When transmitting data packets over the Internet, a time span is associated with them to prevent them from circulating indefinitely in the network system. Defining the amount of time—also known as hops—of a data packet is known as the time to live (TTL), an essential component of an IPv4 header.

Note: To read more about TTL, click here.

IPv4 header

An IPv4 header contains essential information about IP packets. This includes the source and destination address of the data packet, packet length, flags, checksum, and so on.

It is a single byte field filled by the send and can hold values from 0 to 255. The IPv4 header looks like the following:

IPv4 header

When a data packet is transmitted, every router between the source and destination decreases the TTL value by 1 while forwarding it to the next location.

As soon as the value of TTL reaches 0, the data packet is discarded and an ICMPInternet Control Message Protocol TTL Exceeded message is sent back to the source. This is known as TTL expiry.

TTL expiry attack

Cybercriminals can adversely affect the CPU load using a TTL expiry attack. The process can be described as follows:

  • An attacker sends out a massive amount of packets to the destination host with a TTL value less than or equal to t1t-1, where tt represents the time to reach the destination.
  • When packets reach the last router before the destination, the TTL value is 1. Forwarding the packet to the destination would decrement the TTL value to 0.
  • Hence, each data packet is dropped and an ICMPv4 Type 11, "Code 0 Time Exceeded" message is sent back to the victim.
  • The larger the number of data packets sent by the attacker, the huge the number of error messages received by the victim.
  • This adversely affects the bandwidth and network services provided by the victim because greater CPU processing is required to manage these errors.
TTL expiry attack

Prevention

To identify and mitigate TTL expiry attacks, apply filtering on data packets with low TTL values. The following help in filtering out data packets:

  • Extended ACLsAccess Control Lists on routed interfaces.
  • CPU hardware rate limiters protect local devices.
  • Control plane policing and control plane protection on IOS routers.
  • Flexible packet matching separates data packets by filtering IP packet headers.

Copyright ©2024 Educative, Inc. All rights reserved