The recently completed Linux
2.6.34 merge window included a patch
to eliminate a type of denial-of-service attack against
routers. The "Generalized TTL Security Mechanism" (GTSM) is described in
RFC 5082 as a means to
protect routers from CPU-utilization attacks—essentially overloading
the router with bogus Border Gateway Protocol (BGP) packets. With the
addition of a simple socket option, those attacks can be easily thwarted.
Time-to-live (or TTL) is an eight-bit field in an IP packet that is
initially set to some value (by default 64) on the sending host. Each host
the packet decrements it, and if it ever reaches zero, the packet is
discarded. The idea is to eliminate the possibility of immortal packets
that continue to be forwarded in some kind of Internet loop eventually
consuming all of the bandwidth. Tools like traceroute and
ping can change the TTL values of the packets they send to
provide different kinds of information about the network.
Since TTL is already a part of IP, it can be extended in compatible ways.
The idea behind GTSM is that two applications negotiate to use a minimum
TTL value that they will accept, any packets that have a lower value will
be discarded. Because routers that are communicating via BGP—the
core Internet routing protocol—are typically adjacent (i.e. one hop
from each other), and TTL spoofing is considered to be more-or-less
impossible, the TTL value can be used to eliminate spoofed packets. By
setting the minimum TTL value to 255, and sending their packets with a TTL
of 255, two routers can ensure that they only process BGP packets from each
BGP sessions typically use an MD5-based signature to authenticate the
sender. Prior to GTSM, an attacker could spoof IP packets to a router,
which looked like they came from one of its peers. It would then do the
MD5 calculation and find out that, in fact, the packet was bogus. But that
takes CPU time. Enough spoofed packets may tie up the CPU such that real
messages get lost. GTSM allows routers to drop the spoofed packets without
ever calculating the MD5 hash.
The Linux patch is rather simple and the implementation is the same as that
for BSD kernels. A new option (IP_MINTTL) is added that can be
used with setsockopt() to change the minimum TTL for a socket. If
set, the TCP code checks the value and discards packets that have smaller
The patch does not add support for various other protocols (e.g. UDP) nor
for the IPv6 equivalent, which is IPV6_MINHOPLIMIT.
Applications would need to negotiate the use of GTSM via some
higher-level protocol and, as the RFC points out, need to authenticate the
peer before enabling GTSM. Another kind of denial-of-service could be
performed if a bogus packet initiating IP_MINTTL is processed.
It is interesting to see a basic IP building-block like TTL being
repurposed to stop these kinds of attacks. The idea has been around for a
bit, with the first RFC
being accepted in 2004. As with many Internet security techniques, it only
came about after these CPU-utilization attacks became widespread. Each
time attackers find a new hole, various folks find some kind of fix. It is
a non-stop game of whack-a-mole, and one that isn't likely to end soon.
to post comments)