Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Filtering packets w/ IDS feature set based on TTL?

Is it possible to filter and block packets based on TTL using the IDS feature set on a 2611 router? I'm a small ISP, and I'm looking for a way to prevent people from using ICS or routers to share their connections.

Mike

CCNA

4 REPLIES
Bronze

Re: Filtering packets w/ IDS feature set based on TTL?

The Cisco IOS Firewall Intrusion Detection System (IDS) acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to:

Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management interface)

Drop the packet

Reset the TCP connection

Cisco Employee

Re: Filtering packets w/ IDS feature set based on TTL?

IPS certainly has the capability to look at and track TTL in connections. It does this by default in the normalizer engine (and modifies the TTL field as required). Not real sure how inspecting TTL can help track people sharing their connections.

Gold

Re: Filtering packets w/ IDS feature set based on TTL?

Here is a discussion of the various ways of detecting and counting the number of devices behind a NAT router.

http://www.topsight.net/article.php?story=2003042408350170

New Member

Re: Filtering packets w/ IDS feature set based on TTL?

When people attach a rogue router or use Microsoft ICS on the network, it should decrement the TTL by one right? I'm just looking for a quick easy way to detect and block it. I've never worked on an IDS or IPS before. I downloaded the IDS feature set for a 2600 router, but I haven't found a way to implement it yet. I run a small recreational ISP, and I don't want people stealing service.

143
Views
0
Helpful
4
Replies
CreatePlease to create content