Tracing behind the firewall
Posted Jan 11, 2007 11:44 UTC (Thu) by jannic
Parent article: Tracing behind the firewall
There is, however, a very simple defense against this attack: Just configure your firewall to drop (or or answer with TTL exceeded) any packet with a too low TTL field. The minimal TTL value allowed should be bigger than the largest number of hops behind the firewall. That way, it'll look like all hosts behind your NAT have the same number of hops, and you don't get any information about the individual steps from outside.
Something like "iptables -I FORWARD -m ttl --ttl-lt 4 -j DROP" should to the job. Unfortunately, there is no --reject-with icmp-ttl-exceeded, AFAIK.
to post comments)