TTL based firewall attacks

Consider a packet filtering firewall that monitors FTP traffic, and immediately terminates any FTP session that attempts to access a directory /secure. HOw can an attacker thwart this security by manipulating the TTL field of the IP packets.

Because the packet with a TTL = 1 will be traeated as a normal packed by teh firewall

does this make more sense?

thanks,

Eirik Seim wrote:

recall how

It doesn't. What you are asking here don't make sense. A network firewall has very little to do with access control on individual files. Perhaps you could add some information or perhaps rephrase your question?

Still no sense, I'm afraid. Files are not protected by firewalls, networks and systems are. In a computer system, different systems for accessing files has different access control systems.

Setting the TTL in your IP packets to 1 means (as in "is supposed to mean, in IP networking terms", it might affect other things, like in some cases maybe security -- but I don't know any such problems off the top of my head) only that the first router in your path will reduce the TTL, as usual, with one. This means TTL will be zero while beeing processed by the router, and the router will drop the packet, returning a "TTL Expired in Transit" ICMP message. In other words, a packet with TTL=1 will never leave your local network. Or more correctly, your IP subnet.

this is a real question that i have seen.. so i m sure there is some sort of answer to this, rite?

(a) Consider a packet filtering firewall that monitors FTP traffic, and immediately terminates any FTP session that attempts to access a directory /secure. Describe an attack where an attacker can elude this monitoring by manipulating the TTL field of the IP packets. Hint: Note that a packet received by the packet filtering firewall with TTL = 1 will be treated as a normal packet, and used in reconstructing the TCP session. However, this packet will not be forwarded (to the ultimate server) due to the low TTL value. (b) Suppose you modify the packet filtering firewall so that it will drop all packets received with a TTL field value = 1. Will this approach help eliminate the above atack. (c) * Will the use of a circuit-level gateway or a application-level gateway eliminate the the above attack?

this is a real question that i have seen.. so i m sure there is some sort of answer to this, rite?

(a) Consider a packet filtering firewall that monitors FTP traffic, and immediately terminates any FTP session that attempts to access a directory /secure. Describe an attack where an attacker can elude this monitoring by manipulating the TTL field of the IP packets. Hint: Note that a packet received by the packet filtering firewall with TTL = 1 will be treated as a normal packet, and used in reconstructing the TCP session. However, this packet will not be forwarded (to the ultimate server) due to the low TTL value. (b) Suppose you modify the packet filtering firewall so that it will drop all packets received with a TTL field value = 1. Will this approach help eliminate the above atack. (c) * Will the use of a circuit-level gateway or a application-level gateway eliminate the the above attack?

Still makes no sense. Could be a flaw in a certain firewall product, but I'm not familiar with it and neither seems google.

Sorry, but no. A normal packet filtering firewall will in most cases also act as a static router (but still a router) and will reduce the TTL value with one, see that it is now zero, and drop the packet.

Consider how a packet travel the internet: