Snort mailing list archives
Re: TTL LIMIT Exceeded
From: Jason <security () brvenik com>
Date: Fri, 26 Mar 2004 23:01:11 -0500
A route loop could be the culprit but I would expect it to occur more often than occasionally and as an intermittent problem it would be excessive manifesting in short bursts.
Some of my thoughts As it relates to security it could be:Reconnaissance in an attempt to map internal network layout - The resulting TTL Time Exceeded in Transit - ICMP Type 11 will contain the source address of the device expiring the packets.
A form of firewalking - http://www.packetfactory.net/projects/firewalk/ Network fingerprinting to try to identify the hardware in use Non security related:I have seen similar behavior from global load balancing applications that attempt to identify the closest content distribution point. They cannot know true distance without measuring hops until TTL exceeded is reached.
Any chance we can get some of the packets? Mark E. Donaldson wrote:
Any chance this could be caused by a router loop?_____From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sheahan, Paul Sent: Thursday, March 25, 2004 12:53 PM To: snort-users () lists sourceforge net Subject: [Snort-users] TTL LIMIT Exceeded I'm seeing "(spp_stream4) TTL LIMIT Exceeded {TCP}" alerts in Snort.Occasionally I see web requests arriving at my web server with a TTL of 5. Then the following packets decrement down to 4, 3, 2, 1, then zero, which generates a TTL LIMIT EXCEEDED. Just curious if anyone knows what the intent would be in purposely send web requests with a low TTL to generate this message?Thanks
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TTL LIMIT Exceeded Sheahan, Paul (Mar 25)
- RE: TTL LIMIT Exceeded Mark E. Donaldson (Mar 26)
- Re: TTL LIMIT Exceeded Jason (Mar 26)
- RE: TTL LIMIT Exceeded Alejandro Flores (Mar 27)
- RE: TTL LIMIT Exceeded Mark E. Donaldson (Mar 26)