Intrusion Prevention

TCP.TTL.Evasion

Description

This indicates detection of a TCP packet with inconsistent Time-to-Live (TTL) information.
The TTL field of an IP header is used to limit the lifetime of a network datagram. According to RFC 1812, when a router forwards a packet, it must reduce the packet TTL by at least one. A packet received in a session that has a significantly different TTL value from the normalized value of other packets in the same session is very likely sent by an attacker trying to inject potentially malicious data.

Affected Products

Any unprotected system is vulnerable to the attack.

Impact

This is a protocol anomaly. Attackers may inject data into a session.

Recommended Actions

This indicates detection of traffic that does not comply with the protocol standard. Monitor the traffic from that network for any suspicious activity.

Coverage

IPS (Regular DB)
IPS (Extended DB)

References

ID	12934
Created	Sep 11, 2006
Updated	Apr 23, 2014
Risk
Default Action	pass
Active
Affected OS	All
Affected App	All
Profile Type	Anomaly

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Intrusion Prevention

TCP.TTL.Evasion

Description

Affected Products

Impact

Recommended Actions

Coverage

References

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

Intrusion Prevention

TCP.TTL.Evasion

Description

Affected Products

Impact

Recommended Actions

Coverage

References

Threat Intelligence
Center