GEN:SID | 1:449 |
Message | ICMP Time-To-Live Exceeded in Transit |
Summary | This event is generated when a routing device detects that a packet has exceeded the maximum number of allowable hops.
|
Impact | Informational. This indicates that a packet has been expired by an internal router. This may be an indication of an attacker attempting a traceroute of a host in your network.
|
Detailed Information | Each packet is assigned an initial Time To Live (TTL) value before being sent. This value is usually determined by the operating system of the given TCP/IP stack. The TTL value represents the maximum number of hops a packet may take before being expired by a routing device. This is done to banish lost or misguided packets from the network. The traceroute utility assigns its own TTL values to dictate the number of hops a packet takes, to discover all the routing devices that are traversed by a packet. During the process, an ICMP "Time Exceeded in Transit" message may be observed. If a router in your network sends this message, it may be an indication that an attacker is attempting a traceroute of a host in your network.
|
Affected Systems | Any device that expires a packet will generate this ICMP message.
|
Attack Scenarios | An attacker may attempt a traceroute to discover your routing devices and network topology.
|
Ease of Attack | Simple. The UNIX traceroute and Windows tracert are provided utilities.
|
Corrective Action | Sites may elect to disable this ICMP message on the outbound interface to prevent releasing potentially value reconnaissance about the network topology.
|
Additional References | |