Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:449 |
Message | ICMP Time-To-Live Exceeded in Transit |
Summary | This event is generated when a routing device detects that a packet has exceeded the maximum number of allowable hops. |
Impact | Informational. This indicates that a packet has been expired by an internal router. This may be an indication of an attacker attempting a traceroute of a host in your network. |
Detailed Information | Each packet is assigned an initial Time To Live (TTL) value before being sent. This value is usually determined by the operating system of the given TCP/IP stack. The TTL value represents the maximum number of hops a packet may take before being expired by a routing device. This is done to banish lost or misguided packets from the network. The traceroute utility assigns its own TTL values to dictate the number of hops a packet takes, to discover all the routing devices that are traversed by a packet. During the process, an ICMP "Time Exceeded in Transit" message may be observed. If a router in your network sends this message, it may be an indication that an attacker is attempting a traceroute of a host in your network. |
Affected Systems | Any device that expires a packet will generate this ICMP message. |
Attack Scenarios | An attacker may attempt a traceroute to discover your routing devices and network topology. |
Ease of Attack | Simple. The UNIX traceroute and Windows tracert are provided utilities. |
Corrective Action | Sites may elect to disable this ICMP message on the outbound interface to prevent releasing potentially value reconnaissance about the network topology. |
Additional References |
--
DID:695571
--
http://www.aanval.com/