Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
0
Replies

4948 TTL Expiry attack

semirke85
Level 1
Level 1

‎01-19-2015 02:20 AM - edited ‎03-05-2019 12:35 AM

Hello, 

 Im looking for a way to mitigate TTL Expiry attack on a Cisco 4948-10G. 

 I've been googling around for hours, however, havent yet found a way to do it :(

 

 Does anyone know a workaround to match low TTL packets? 

 Currently routing low TTL packets and generating ICMP replies fully occupies the CPU :S

 

Thank you in advance!

Bests,

Semirke

 

More info: 

The switch is running Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 15.0(2)SG9, RELEASE SOFTWARE (fc2)

 

when I try to add a TTL ACL, I got no such option: 

me(config)#access-list 100 deny ip any any ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

 

 

 

 

3 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents