Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1317
Views
0
Helpful
0
Replies

TTL Expiry prevention

Eric R. Jones
Level 4
Level 4

‎07-05-2021 06:24 PM

Hello all, I'm working on securing our network from TTL Expiry attacks.

The reading I've done says I can use an ACL:

ip access-list extended ACL-BLOCK-LOW-TTL
deny ip any any ttl lt 16
permit ip any any
!
interface g/#/# 
ip access-group ACL-BLOCK-LOW-TTL in

 

Or I can use the hardware module PFC/DFC incorporated into the 6500

platform rate-limit all ttl-failure ##

 

I would like to use the later if possible but I'm not quite getting the value that follows ttl-failure. I need to prevent TTL packets of 1 or less from being allowed in.  From what I read I just need to place a value at the end of the line that shows just how many TTL packets will be allowed so 16 in this location will work the same as deny ip any any ttl lt 16.

It took a while to find the correct command as mls rate-limit doesn't work in the Sup2T module of the 6500.

I plan to configure this on my perimeter switch and maybe on the trusted switch, I don't think it's required there though.

ej

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card