Hello all, I'm working on securing our network from TTL Expiry attacks.
The reading I've done says I can use an ACL:
ip access-list extended ACL-BLOCK-LOW-TTL
deny ip any any ttl lt 16
permit ip any any
!
interface g/#/#
ip access-group ACL-BLOCK-LOW-TTL in
Or I can use the hardware module PFC/DFC incorporated into the 6500
platform rate-limit all ttl-failure ##
I would like to use the later if possible but I'm not quite getting the value that follows ttl-failure. I need to prevent TTL packets of 1 or less from being allowed in. From what I read I just need to place a value at the end of the line that shows just how many TTL packets will be allowed so 16 in this location will work the same as deny ip any any ttl lt 16.
It took a while to find the correct command as mls rate-limit doesn't work in the Sup2T module of the 6500.
I plan to configure this on my perimeter switch and maybe on the trusted switch, I don't think it's required there though.
ej