[nsp] BGP TTL Security Check
Danny McPherson
danny at tcb.net
Fri Apr 23 22:28:44 EDT 2004
Roger,
The documentation is indeed correct. If you're matching on lower
TTLs (e.g., it must be '1') when the packet arrives then an
attacker can craft packets such that they land on the target with
the appropriate TTL value.
However, if you set the value higher (e.g., expect a value of
254) there's no way the attacker can craft packets that land on
the target with that value (assuming intermediate nodes are
correctly decrementing TTLs).
As 'fingers' so gratuitously noted, this has been discussed here,
on NANOG and in several other public forums a number of
times already. A quick search of the archives should yield
some useful discussions.
-danny
On Apr 23, 2004, at 6:16 PM, Roger wrote:
>
> Shouldn't this be the other way around?? ie If ip packet has TTL
> greater then say 2 then drop the packet w/ no ack/response?
More information about the cisco-nsp
mailing list