cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

265
Views
0
Helpful
4
Replies
global_trekker1
Beginner

Filtering packets w/ IDS feature set based on TTL?

Is it possible to filter and block packets based on TTL using the IDS feature set on a 2611 router? I'm a small ISP, and I'm looking for a way to prevent people from using ICS or routers to share their connections.

Mike

CCNA

4 REPLIES 4
pradeepde
Contributor

The Cisco IOS Firewall Intrusion Detection System (IDS) acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to:

Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management interface)

Drop the packet

Reset the TCP connection

cstokes
Cisco Employee

IPS certainly has the capability to look at and track TTL in connections. It does this by default in the normalizer engine (and modifies the TTL field as required). Not real sure how inspecting TTL can help track people sharing their connections.

Here is a discussion of the various ways of detecting and counting the number of devices behind a NAT router.

http://www.topsight.net/article.php?story=2003042408350170

When people attach a rogue router or use Microsoft ICS on the network, it should decrement the TTL by one right? I'm just looking for a quick easy way to detect and block it. I've never worked on an IDS or IPS before. I downloaded the IDS feature set for a 2600 router, but I haven't found a way to implement it yet. I run a small recreational ISP, and I don't want people stealing service.

Content for Community-Ad