Showing results for 
Search instead for 
Did you mean: 

Filtering packets w/ IDS feature set based on TTL?


Is it possible to filter and block packets based on TTL using the IDS feature set on a 2611 router? I'm a small ISP, and I'm looking for a way to prevent people from using ICS or routers to share their connections.



4 Replies 4


The Cisco IOS Firewall Intrusion Detection System (IDS) acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to:

Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management interface)

Drop the packet

Reset the TCP connection

Cisco Employee
Cisco Employee

IPS certainly has the capability to look at and track TTL in connections. It does this by default in the normalizer engine (and modifies the TTL field as required). Not real sure how inspecting TTL can help track people sharing their connections.

Here is a discussion of the various ways of detecting and counting the number of devices behind a NAT router.

When people attach a rogue router or use Microsoft ICS on the network, it should decrement the TTL by one right? I'm just looking for a quick easy way to detect and block it. I've never worked on an IDS or IPS before. I downloaded the IDS feature set for a 2600 router, but I haven't found a way to implement it yet. I run a small recreational ISP, and I don't want people stealing service.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: