There is, however, a very simple defense against this attack: Just configure your firewall to drop (or or answer with TTL exceeded) any packet with a too low TTL field. The minimal TTL value allowed should be bigger than the largest number of hops behind the firewall. That way, it'll look like all hosts behind your NAT have the same number of hops, and you don't get any information about the individual steps from outside.
Something like "iptables -I FORWARD -m ttl --ttl-lt 4 -j DROP" should to the job. Unfortunately, there is no --reject-with icmp-ttl-exceeded, AFAIK.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds