LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Linux adds router denial-of-service prevention

Linux adds router denial-of-service prevention

Posted Mar 18, 2010 8:58 UTC (Thu) by ekj (guest, #1524)
Parent article: Linux adds router denial-of-service prevention

It's an interesting mechanism, and one usable for a lot more than protecting router-protocols.

Since TTL is a 8-bit field, there's no way it can be set higher than 255, and if the routers around you work properly, they will decrement TTL by (atleast) one for every packet coming trough. (exception: "transparent"-mode where routers pretend not to be there)

By insisting, at the kernel-level, that packets coming in to a certain socket must have a minimum remaining TTL, you can in essence say: "only accept packets to this socket, from machines which are 'close' to me. Where 'close' is interpreted in a network-sense.

I have a home-network with a router, and a second router that serves as my gateway to the internet.

If those both work correctly, it means I can never get a package from the internet, with a TTL higher than 253. Services which are intended for home-use-only, could insist on a minimum TTL of 254, and I'd be protected against any kind of bullshit coming from outside.

The same thing is true at work: I've got servers here which provide services, services which are never intended to be used from out of building. Yes, sure, there's a firewall dealing with that. But those can have bugs of their own, and are frequently misconfigured. This would be a useful additional layer.

(Log in to post comments)

Linux adds router denial-of-service prevention

Posted Mar 18, 2010 14:31 UTC (Thu) by jengelh (subscriber, #33263) [Link]

>there's no way it can be set higher than 255, and if the routers around you work properly, they will decrement TTL by (atleast) one for every packet coming trough. (exception: "transparent"-mode where routers pretend not to be there)

Hm. So all you need is a tunnel (gre, esp, whatever) to the router and you can send it TTL=255 messages from afar :-/

Linux adds router denial-of-service prevention

Posted Mar 18, 2010 14:38 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

You can already see this fact used in link-local protocols, in two (unfortunately contradictory) ways.

Some protocols require that TTL is 1. This means that a conforming implementation, connected to properly functioning routers, never leaks packets onto the wider network (whether or not that is the Internet) regardless of router (mis) configuration because the router will reduce TTL to zero and discard the packet. It is fairly trivial for a knowledgeable attacker to spoof such packets if he can deliver them to your network.

Some protocols require that TTL is 255, because as observed here, packets which are somehow routed onto your network from elsewhere will not have this TTL value and so can be discarded. In this case attackers can't spoof you, but a lot of care is needed to ensure that no misconfigured router spills all the packets onto the Internet (or else, that when it does so no harm results)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds