Protect hosts from Internet attack limiting Time To Live (TTL).

It’s Time To Use (TTU) brain cells… instead of budget!

Security is a major issue these days, especially on legacy systems that can’t be patched easily or at all. What about the company’s golden-goose databases, do they need to be directly accessed from the Internet? No, typically they are accessed from Web or Application servers a few TCP/IP Time To Live (TTL) Hops away. So why allow such systems to have a TTL that “could” reach the scary far away places on the Internet? What if you did have a hole in your firewall? These systems would be unnecessarily vulnerable.

Using fundamental network theory we can cripple such systems from the Hackers easy prey. Most if not all TCP/IP protocol stacks can be modified to limit how many routers a packet can traverse.

The purpose of the TTL field is primarily to limit the effect a route loop has to consume bandwidth forever. Here’s the way it works. As a packet leaves a host, its TTL also termed as a “Hop Count” is set to limit its ability to live as it “Hops” through routers. Each router is considered a “Hop” and the router decrements the TTL/Hop field as it traverses the router. The default for a Microsoft product these days is 128 hops. This is long enough to go through 127 routers – long and far enough to reach scary places we read about where Hackers lurk around the entire globe. Do you want your database accessible from remote parts of China? But why then if it never needs to go there do we leave the default TTL on vulnerable systems – systems that may never need to access the Internet.

It seems that everyday a security report finds a new vulnerability on an old system or a new one of high importance. Patching these systems now employs many. I think the old Y2K folks are showing up here, along with their gloom and doom for the future. Oh well, it’s a bad world out there, but the good guys are still smarter – and better looking.

So, I say, let’s just cripple all our systems that do not need to access the Internet from being able to do so with the TTL parameter. This will give us one more feather to put in our “White Hats” and it’s a pretty easy way to protect many of our most vulnerable systems from Internet hacking.

Other security measures could be used to limit certain users from accessing systems beyond their need – like warehouse users from Internet access. The TTL/Hop field in the IP header can be set by manual edit or through DHCP settings or in the operating system image for certain purposes.

So, go ask your platform, mainframe and database administrators if they worry about their systems being accessed from the Internet – and then ask their TTL value. And if you still have some old OS/2 machines ask them when they last patched them for security holes.

I know this will become an easy, efficient and popular way to help protect our vulnerable and important systems in the future. With your help we will start a tech-note on our web site for how to set the TTL on many hosts in the near future. So let us know how you set your TTL/HOP count on your specific platform at discuss@anheng.com and we’ll share it with others. This is one hole that knowledge does not help the Hacker exploit any further– it’s already exploitable by default.

Technical Troubles:

Now for the bad news: you can stop communications you desire if you don’t consider your own network diameter properly and reconsider such when a host is moved or accessed by new clients. But the problem is easily diagnosed with Ping and will show up as a TTL expired in transit error. So, do your homework as this is the easiest and most effective solution one can implement to help protect your organization’s information – and the price? No capital expenditures! No big install project. Just use some brain cells instead of budget for a highly effective solution.

Other Troubles and Excuses:

Some techie’s want to download patches directly from the Internet from such machines and won’t want to limit their reach. Don’t fall for this make them download if from another machine then move it over.

Firewall tech’s will say “we’re blocking all the ports so TTL doesn’t matter”. Famous last words… well, it should have anyway.

Others may say “Bummer/Drag, using brain cells doesn’t let us buy new equipment and software, get T-Shirts and stuff like that”. But it sure has great ROI. Buy some PMG NetAnalyst training for these folks to get them motivated to use brain cells more often and introduce them to the exciting life of a Certified NetAnalyst Forensics Professional.

Here’s some popular TTL default values:

AIX - 60
DEC Pathworks V5 - 30
FreeBSD 2.1R - 64
HP/UX 9.0x - 30
HP/UX 10.01 - 64
Irix 5.3 - 60
Irix 6.x - 60
Linux - 64
MacOS/MacTCP 2.0.x - 60
OS/2 TCP/IP 3.0 - 64
OSF/1 V3.2A - 60
Solaris 2.x - 255
SunOS 4.1.3/4.1.4 - 60
Ultrix V4.1/V4.2A - 60
VMS/Multinet - 64
VMS/TCPware - 60
VMS/Wollongong 1.1.1.1 - 128
VMS/UCX (latest rel.) - 128
MS WfW - 32
MS Windows 95 - 32
MS Windows NT 3.51 - 32
MS Windows NT 4.0 SP5- - 32
MS Windows NT 4.0 SP6+ - 128
MS Windows 98 - 128
MS Windows XP - 128
MS Windows Server 2003 - 128
Most Router Vendors - 255