| GEN:SID | 1:1321 |
| Message | BAD-TRAFFIC 0 ttl |
| Summary | This event is generated when packets on the network have the Time To Live (TTL) set to 0.
|
| Impact | Improper use of IP multicasting by an application causing anomalous behaviour on the network. This may have a detrimental effect on network devices.
|
| Detailed Information | Under normal circumstances the TTL should not be 0.
This may be the result of a poorly designed application sending a TTL of 0 using Winsock.
an indicator of unauthorized network use, reconnaisance activity or system compromise. These rules may also generate an event due to improperly configured network devices.
|
| Affected Systems | Windows 95 Windows NT 3.5 and 3.51
|
| Attack Scenarios | The application may be using a flaw in some versions of Winsock that allow multicast packets to have a TTL of 0.
|
| Ease of Attack | Simple
|
| Corrective Action | Apply the appropriate vendor fixes.
|
| Additional References | Microsoft: http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268 http://support.microsoft.com/default.aspx?scid=kb;EN-US;131978
|
| Rule References | url: support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268
url: www.isi.edu/in-notes/rfc1122.txt
|