Is it possible to filter and block packets based on TTL using the IDS feature set on a 2611 router? I'm a small ISP, and I'm looking for a way to prevent people from using ICS or routers to share their connections.
The Cisco IOS Firewall Intrusion Detection System (IDS) acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to:
Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management interface)
Drop the packet
Reset the TCP connection
IPS certainly has the capability to look at and track TTL in connections. It does this by default in the normalizer engine (and modifies the TTL field as required). Not real sure how inspecting TTL can help track people sharing their connections.
Here is a discussion of the various ways of detecting and counting the number of devices behind a NAT router.
When people attach a rogue router or use Microsoft ICS on the network, it should decrement the TTL by one right? I'm just looking for a quick easy way to detect and block it. I've never worked on an IDS or IPS before. I downloaded the IDS feature set for a 2600 router, but I haven't found a way to implement it yet. I run a small recreational ISP, and I don't want people stealing service.