Check Point Advisories

Security Best Practice: Familiarize Yourself with the Time to Live (TTL) Masking Protection

Check Point Reference: SBP-2008-25
Date Published: 15 Aug 2008
Severity: Medium
Last Updated: Tuesday 01 January, 2008
Source: IPS Research Center
Protection Provided by:
Who is Vulnerable? Web Servers
Vulnerability Description Each IP packet has a field called "Time to Live", or TTL. Each router along the way decrements this value by one. When the router decrements this value to zero it drops the packet and sends an ICMP notifying about the event.
Vulnerability DetailsWhen a host sends a packet, it sets the TTL to a value that should be enough to make sure that the packet reaches its destination under normal circumstances. The default initial value changes from one OS to another. Typical values are 64, 128 and 255. An adversary receiving a packet can deduce the number of routers between it and the sending machine by assuming the original TTL was one of the above and that each router along the way decreases the value by 1. In addition to that, detecting which of the above initial TTLs were used gives some information about what operating system the host is running.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK