OSPF TTL Security Check

This topic is to discuss the following lesson:

I guess if the person spoofing is capable of spoofing a TTL of 2, they are also capable of spooing a TTL of 256 which (with the default config) would effectively override this safety mechanism in this scenario :slight_smile:

Unless the TTL is an 8 bit field, so 255 is the highest value!

Also you said this:

might be a change for IOS 15, but now the hops value is the maximum hop value, not the decrement amount.

[quote]ttl-security all-interfaces hops ?
<1-254> maximum number of hops allowed[/quote]

So if you wanted a TTL of 155 you would use the number 155, not the number 100

Hello Chris

Yes, you are correct that the TTL field is an 8 bit field, so the highest value can be 255.

I hope this has been helpful!

Laz

Hello again Chris.

You must remember that the value configured in the ttl-security all-interfaces hops command is the number of allowed hops and not the actual value of the TTL field. The value is essentially a threshold.

The default value is actually 0. This means that it will accept any values of TTL equal to or greater than 255-0. Since routing decrements the TTL by one, this means that only OSPF packets from directly connected devices will be accepted.

If this threshold is configured at 100 hops, then only packets with a TTL higher than 255-100 = 155 will be accepted. That means that packets with a TTL within the range of 155 to the maximum of 255 will be accepted.

I hope this has been helpful!

Laz

Hi Rene,
Hopefully you are doing good…

I have one question When i am going through you CCIE R&S Written Table of Contents here why 3.6e:Path Preference & 3.6f:Operations not showing anything when i am trying to click there no page is opening so are you want to add any content there or its mistake by you? then 3.6g:Convergence and Scalability having content because when i clicking the + button the content is coming.

For your reference i attached the screenshot as well.

Screenshot1
Screenshot2
Thanks & Regards,
Arindom

Hello Arindom

Thanks for that! I have sent out a message to Rene to take a look and fix it!

Laz

Hi Arindom,

I just moved a couple of items of 3.6f that should be there but weren’t.

3.6e is empty right now so that is a bit confusing. I’ll have to check which items can go there.

Rene

Hi Rene,
Thanks for replying … if you add any thing there defenately I will go through the point…

Thanks & Regards,
Arindom

1 Like

Hi Rene,
FYI

As per your lesson

R1(config)#router ospf 1
R1(config-router)#ttl all-interfaces

i can see the syntax as image

i don’t know is typo error or older IOS version syntax will be this

i am using 7200 series router with IOS 15.0

Hello Gowthamraj

Yes, you are correct, the command is indeed ttl-security all-interfaces. I was unable to find the syntax described in the lesson so I assume that this is a typo. I will let Rene know to confirm and make the modification as needed.

Thanks for pointing that out!

Laz

1 Like

Hi @gowthamraj4

Thank you. I agree with @lagapidis, this is probably a typo. I just fixed it.

Rene

1 Like

Hey guys,

Do you have any lesson on TTL Security Check for eBGP?

Hello Joseph

There’s currently no lesson on TTL Security Check for BGP, however, you can take a look at this post which talks a little bit about it, and also links to relevant Cisco documentation.

If you’re interested, you can make a suggestion to add a lesson on the topic at the Member Ideas page below:

I hope this has been helpful!

Laz

@lagapidis

The moral of the story is , if i configure the TTL vale as 10 it means the Maximum Hops allowed between 11-255(255-10=245)…Right ??.

Then , Rene configured the TTL value as 255 it means (255-255=0). So it will accept only directly connected .

Lets say i have 3 router (R1–>R2–>R3), R3 is the attacker and i have configured the TTL security in R1and R2 as 255 , Now the question is , What will happen when R3 as an attacker will send the unicast packet R1 as TTL 30 ??..How R2 will prevent the attack before it reaches to R1 , can u explain little bit please…!

Hello Narad

Yes, theoretically speaking, if you configure the following:

ttl-security all-interfaces hops 10

then your OSPF router will accept any OSPF packets with a TTL greater than or equal to 10, but will reject all OSPF packets with a TTL of 9 or smaller.

Keep in mind that OSPF adjacencies always take place between directly connected devices. There should never be a router (or attacker) that is more than one hop away that can potentially become a neighbor. To be honest, I’m not sure why this command allows you to adjust the number of hops. The only reason I can think of is that you may have OSPF devices (of other vendors?) that may not be able to send OSPF packets with a TTL of 255 but may be able to be configured to do so with a smaller TTL. In any case, by using a TTL smaller than 255, you are negating the benefits of the feature, and opening a security hole. I believe best practice would be not to adjust the TTL and let it remain at 255.

Now for the scenario that you describe, in actuality, it is not R2 that will prevent the attack, but it is R1 that will simply not accept the OSPF packet because it has a TTL of 30 and not a TTL of 255.

I hope this has been helpful!

Laz