! ip access-list extended ACL-BLOCK-LOW-TTL deny ip any any ttl lt 16 permit ip any any ! interface FastEthernet0 ip access-group ACL-BLOCK-LOW-TTL in !
As noted in the following CoPP section, some protocols make legitimate use of packets with very low TTL values. This use should be taken into account before the deployment of packet filtering that is based solely on TTL.
The following show access-lists output depicts the number of packets that were dropped by ACL-BLOCK-LOW-TTL.
Router#show access-lists ACL-BLOCK-LOW-TTL Extended IP access list ACL-BLOCK-LOW-TTL 10 deny ip any any ttl lt 16 (3003 matches) 20 permit ip any any (2670 matches) Router#
As displayed, there were 3003 packets dropped by the router access list ACL-BLOCK-LOW-TTL.
Administrators may be able to gain additional attack information through the use of ACL logging. ACL logging has been proven to elevate the CPU load of network devices and should not be enabled without careful planning. For more information see Access Control List Logging.
Control Plane Policing and Control Plane Protection can be used to protect an individual network device from TTL expiry attacks. CoPP and CPPr do not have visibility into transit packets with TTL values greater than one; therefore, CoPP and CPPr cannot be used to protect other network devices.
Beginning with Cisco IOS software version 12.4(2)T, an administrator may be able to leverage TTL filtering in access control lists with CoPP and CPPr to filter packets with TTL values of zero and one. The following configuration, although not a comprehensive example of the capabilities of CoPP, will mitigate the threat of TTL expiry on the local network device.
! !Add an ACL to match any IP packet with TTL values !of zero or one. ! ip access-list extended ACL-MATCH-TTL-0/1 permit ip any any ttl eq 0 permit ip any any ttl eq 1 ! !Define a class that contains packets matching !the ACL ACL-MATCH-TTL-0/1. ! class-map match-all COPP-CM-TTL-0/1 match access-group name ACL-MATCH-TTL-0/1 ! !Create the policy map that will be applied to !the control-plane. ! policy-map COPP-PM ! !Assign the action of ‘drop’ to the COPP-CM-TTL-0/1 !class. This will cause all packets in the class to be !dropped before they are processed by the CPU. ! class COPP-CM-TTL-0/1 drop ! !Assign the COPP-PM policy map the aggregate control- !plane interface in the inbound direction. ! control-plane service-policy input COPP-PM !
Some protocols make legitimate use of low TTL values; eBGP is one such protocol. Where required, the CoPP configuration will need to be altered to allow for the proper operation of these protocols. The following configuration builds on the previous example to allow eBGP packets with a TTL value of one.
! !Add an ACL to match EBGP packets (179/tcp) from !trusted sources with a TTL of one. ! ip access-list extended ACL-MATCH-TRUSTED-EBGP permit tcp host 192.168.1.101 any eq bgp ttl eq 1 permit tcp host 192.168.1.101 eq bgp any ttl eq 1 ! !Add an ACL to match any IP packet with TTL values !of zero or one. ! ip access-list extended ACL-MATCH-TTL-0/1 permit ip any any ttl eq 0 permit ip any any ttl eq 1 ! !Define a class that contains packets matching !the ACL ACL-MATCH-TRUSTED-EBGP. ! class-map match-all COPP-CM-EBGP match access-group name ACL-MATCH-TRUSTED-EBGP ! !Define a class that contains packets matching !the ACL ACL-MATCH-TTL-0/1. ! class-map match-all COPP-CM-TTL-0/1 match access-group name ACL-MATCH-TTL-0/1 ! !Create the policy map that will be applied to !the control-plane. ! policy-map COPP-PM ! !Assign the COPP-CM-EBGP class to this policy map. !There is no action, which will cause packets in this !class to be permitted by CoPP and processed by the CPU. ! class COPP-CM-EBGP ! !Assign the action of ‘drop’ to the COPP-CM-TTL-0/1 !class. This will cause all packets in the class to be !dropped before they are processed by the CPU. ! class COPP-CM-TTL-0/1 drop ! !Assign the COPP-PM policy map the aggregate control- !plane interface in the inbound direction. ! control-plane service-policy input COPP-PM !
Although CPPr offers a control plane subinterface specific to packets to be processed by the local network device, administrators are advised to apply the policy map to the aggregate control plane interface as shown in the preceding configuration. This configuration will ensure that both transit packets and packets to be processed locally with TTL values of zero and one will be dropped uniformly.
The show policy-map control-plane command will display the number of packets that have been matched by each class map within the applied policy map. The following sample output displays the number of packets that were dropped by the COPP-PM policy.
Router# show policy-map control-plane Control Plane Service-policy input: COPP-PM Class-map: COPP-CM-EBGP (match-all) 8 packets, 602 bytes 5 minute offered rate 0 bps Match: access-group name ACL-MATCH-TRUSTED-EBGP Class-map: COPP-CM-TTL-0/1 (match-all) 144 packets, 7776 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group name ACL-MATCH-TTL-0/1 drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Router#
The following show access-lists output displays the corresponding number of packets that matched the access list ACL-MATCH-TTL-0/1, which was used as part of the preceeding CoPP configuration.
Router# show access-lists Extended IP access list ACL-MATCH-TRUSTED-EBGP 10 permit tcp host 192.168.1.101 any eq bgp ttl eq 1 20 permit tcp host 192.168.1.101 eq bgp any ttl eq 1 (8 matches) Extended IP access list ACL-MATCH-TTL-0/1 10 permit ip any any ttl eq 0 20 permit ip any any ttl eq 1 (144 matches) Router#
As displayed, there were 144 packets matched and then dropped by the access list ACL-MATCH-TTL-0/1, which corresponds to the value shown in the previous show policy-map control-plane output.
Flexible Packet Matching (FPM) can be used to filter IP packets based on TTL value. FPM can be leveraged to protect both the local network device and downstream network devices from TTL expiry attacks through either rate limiting or complete filtering of packets with low TTL values.
Starting in 12.4(4)T, Flexible Packet Matching can be used to filter on specific fields within the IP packet. Included in those fields is the TTL value of the packet. The following configuration example illustrates the use of FPM to drop IP packets with TTL values of 15 or less.
! !Load the Protocol Header Description File (PHDF) for IP. ! load protocol flash:ip.phdf ! !Create access-control class map to match IP packets with a !TTL below 16. ! class-map type access-control match-all FPM-CM-MATCH-TTL-LT-16 match field IP ttl lt 16 ! !Create a policy map with a single class, !FPM-CM-MATCH-TTL-LT-16. Packets in that class will be dropped. ! policy-map type access-control FPM-PM-DROP-TTL-LT-16 class FPM-CM-MATCH-TTL-LT-16 drop ! !Apply the new policy map to the FastEthernet0 interface !in the inbound direction. ! interface FastEthernet0 service-policy type access-control input FPM-PM-DROP-TTL-LT-16 !
More information on using Flexible Packet Matching is available in the Flexible Packet Matching Deployment Guide.
The following show policy-map type access-control interface fa0 output shows the 75,029 packets that were dropped by the FPM policy and applied to the FastEthernet0 interface.
Router#show policy-map type access-control interface fa0 FastEthernet0 Service-policy access-control input: FPM-PM-DROP-TTL-LT-16 Class-map: FPM-CM-MATCH-TTL-LT-16 (match-all) 75029 packets, 10053886 bytes 5 minute offered rate 14000 bps, drop rate 14000 bps Match: field IP ttl lt 16 drop Class-map: class-default (match-any) 1288996 packets, 118831931 bytes 5 minute offered rate 8000 bps, drop rate 0 bps Match: any Router#
The Cisco Catalyst 6500 Series and Cisco 7600 Series Supervisor Engine 32 and Supervisor Engine 720 support platform-specific, hardware-based rate limiters (HWRLs) for special networking scenarios. These hardware-based rate limiters are called "special-case" rate limiters because they cover a specific predefined set of IPv4, IPv6, unicast, and multicast DoS scenarios. The TTL-Failure General Rate Limiter can be used to rate-limit unicast or multicast packets that fail the TTL check (i.e., packets with TTL values less than or equal to one).
Hardware Rate Limiters, specifically the TTL-Failure rate limiter, can only be used to protect the local device against TTL expiry attacks. HWRLs cannot protect downstream network devices from TTL expiry attacks.
The following command configures a Catalyst 6500 IOS Switch to rate-limit the TTL failure messages that it generates to 500 packets per second (pps) with a burst of ten packets:
Switch(config)#mls rate-limit all ttl-failure 500 10
Note: The TTL-failure rate limiter is a shared rate limiter, and its configured rate will be shared with the no-route, RPF failure, and ICMP Unreachable rate limiters.
To confirm the setting of the TTL-failure rate limiter, issue the show mls rate-limit command; the following output is example output from this command.
Switch#show mls rate-limit Sharing Codes: S - static, D - dynamic Codes dynamic sharing: H - owner (head) of the group, g - guest of the group Rate Limiter Type Status Packets/s Burst Sharing --------------------- ---------- --------- ----- ------- MCAST NON RPF Off - - - MCAST DFLT ADJ On 100000 100 Not sharing MCAST DIRECT CON Off - - - ACL BRIDGED IN On 500 10 Group:1 S ACL BRIDGED OUT On 500 10 Group:1 S IP FEATURES Off - - - ACL VACL LOG Off - - - CEF RECEIVE Off - - - CEF GLEAN On 10000 10 Not sharing MCAST PARTIAL SC On 100000 100 Not sharing IP RPF FAILURE Off - - - TTL FAILURE On 500 10 Not sharing ICMP UNREAC. NO-ROUTE Off - - - ICMP UNREAC. ACL-DROP Off - - - ICMP REDIRECT On 100 10 Not sharing MTU FAILURE Off - - - MCAST IP OPTION Off - - - UCAST IP OPTION Off - - - LAYER_2 PDU Off - - - LAYER_2 PT Off - - - IP ERRORS Off - - - CAPTURE PKT Off - - - MCAST IGMP Off - - - MCAST IPv6 DIRECT CON Off - - - MCAST IPv6 *G M BRIDG Off - - - MCAST IPv6 *G BRIDGE Off - - - MCAST IPv6 SG BRIDGE Off - - - MCAST IPv6 ROUTE CNTL Off - - - MCAST IPv6 DFLT DROP Off - - - MCAST IPv6 SECOND. DR Off - - - Switch#
For more information, see Hardware-Based Rate Limiters on the PFC3.
Currently, there is no counter associated with these Hardware Rate Limiters; as a result, there is no syslog message or SNMP trap when a given type of traffic crosses a rate limiter threshold. Hardware Rate Limiter information is available through the use of the show mls statistics command on systems with Policy Feature Cards (PFC) 3B or PFC-3BXLs.
Switch#show mls statistics Statistics for Earl in Module 7 L2 Forwarding Engine Total packets Switched : 1741460623 L3 Forwarding Engine Total packets L3 Switched : 1702442813 @ 0 pps Total Packets Bridged : 7720 Total Packets FIB Switched : 1571225488 Total Packets ACL Routed : 0 Total Packets Netflow Switched : 1 Total Mcast Packets Switched/Routed : 217239 Total ip packets with TOS changed : 217253 Total ip packets with COS changed : 2 Total non ip packets COS changed : 0 Total packets dropped by ACL : 123591 Total packets dropped by Policing : 0 Total packets exceeding CIR : 0 Total packets exceeding PIR : 0 Errors MAC/IP length inconsistencies : 0 Short IP packets received : 0 IP header checksum errors : 0 TTL failures : 828 MTU failures : 0 Total packets L3 Switched by all Modules: 1729461809 @ 10 pps
In the preceeding example, 828 packets with TTL values less than or equal to one have been processed by the CPU.
The purpose of this document is to provide several options that are currently available within IOS devices to mitigate the adverse impacts of TTL expiry attacks. All of these mitigation techniques should be performed in controlled lab environments prior to deploying these configurations in a production setting.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.