Is it possible to filter and block packets based on TTL using the IDS feature set on a 2611 router? I'm a small ISP, and I'm looking for a way to prevent people from using ICS or routers to share their connections.
The Cisco IOS Firewall Intrusion Detection System (IDS) acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to:
Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management interface)
IPS certainly has the capability to look at and track TTL in connections. It does this by default in the normalizer engine (and modifies the TTL field as required). Not real sure how inspecting TTL can help track people sharing their connections.