NF – TTL below 30 – TTL Expiry Attack from inside to outside

A TTL (Time To Live) below 30 attack refers to a specific type of network attack where an attacker intentionally sets the TTL value to a very low value (typically below 30) in packets they send out. This attack aims to exploit the Time To Live mechanism in the IP protocol to perform reconnaissance or evade network security measures.

Categories:

ID Number

5007106

Signature

alert ip $HOME_NET ![67,68] -> ![224.0.0.0/24,239.255.255.250] ![67,68] (msg:"NF - TTL below 30 - TTL Expiry Attack from inside to outside"; ttl:<30; reference:url,networkforensic.dk; reference:url,journals.sfu.ca/apan/index.php/apan/article/view/14; metadata:14032020; sid:5007106; classtype:misc-activity; rev:9;)

MITRE ATT&CK Technique

-

Severity

Low

Recommendations/Investigative actions

if the network is disconnected from the internet it's reccomended to disable the alert because of a big number of False Positives