Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1321 |
Message | BAD-TRAFFIC 0 ttl |
Summary | This event is generated when packets on the network have the Time To Live (TTL) set to 0. |
Impact | Improper use of IP multicasting by an application causing anomalous behaviour on the network. This may have a detrimental effect on network devices. |
Detailed Information | Under normal circumstances the TTL should not be 0. This may be the result of a poorly designed application sending a TTL of 0 using Winsock. an indicator of unauthorized network use, reconnaisance activity or system compromise. These rules may also generate an event due to improperly configured network devices. |
Affected Systems | Windows 95 Windows NT 3.5 and 3.51 |
Attack Scenarios | The application may be using a flaw in some versions of Winsock that allow multicast packets to have a TTL of 0. |
Ease of Attack | Simple |
Corrective Action | Apply the appropriate vendor fixes. |
Additional References | Microsoft: http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268 http://support.microsoft.com/default.aspx?scid=kb;EN-US;131978 |
Rule References | url: support.microsoft.com/default.aspx?scid=kb\ url: www.isi.edu/in-notes/rfc1122.txt |
--
DID:167494
--
http://www.aanval.com/