TTL – we catch violators of perimeter of a network or we discredit myths.

16 Июл

Hello all that who reads today this article!

I didn’t find in worldwide network the Internet of a mention of possibility of use of the field TTL (time to live/time of life of a package of data in the IP protocol/) thus about which speech will go.
This functional by me it is not found in one well-known commercial or Open Source of realization of system of safety of local and global networks.
Meanwhile possibilities on use of this field when ensuring information security of local and global networks are quite wide, since there is a possibility with big degree of reliability (not absolutely truly when using generators of packages) to define violators of perimeter of a local network or a segment of any other network, and also to carry out rather exact identification of a regional arrangement of users in global networks. Speech only about one of options of use of the field TTL for systems of safety of a local network today will go, I promise to expose through some on your review a material about field TTL use with a view of identification of users in global networks.
Let’s begin, algorithm with which use identification of computer hooligans/violators of perimeter of safety of a network is possible:
1. We establish for hosts in our local network fields TTL periodically changing value. On the MS Windows platforms this value is possible for exposing use of local, group security policies, or change of parameter of the register [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters] of «DefaultTTL» =dword:00000063; for platforms on the basis of the Linux operating systems this value is possible to change by means of updating of the corresponding parameter of a network stack “echo 120 > / proc/sys/net/ipv4/ip_default_ttl”. Change of these parameters is possible for realizing in the form of the corresponding scripts on VBScript for MS Windows with the subsequent addition in GPO and bash (shell) for Linux of platforms, and also the subsequent addition of these tasks in the scheduler of tasks (a sheduler, cron) for periodic performance of these scripts. Possibly and edinorazovy change of the TTL parameter on arisen need for identification of the violator of perimeter of a network. Violation of perimeter of safety of a network is possible for the various reasons, including and as a result actions of insiders.
and/or someone by kindness sincere told to other employee the password of authorization on a lock of access to the Internet.
2. Fields TTL periodically changing value, distinct from TTL value for other hosts, it is meaningful to establish especially for hosts by which access to the network the Internet through an organization lock isn’t allowed that will allow to trace users who break system of safety of the organization since it is logical to assume that these violators got one way or another the administrative driver’s license on the host (at authentification on a lock after MAC-IP steam) and/or someone by kindness sincere told to other employee the password of authorization on a lock of access to the Internet. For such hosts by which Internet connection isn’t allowed, we establish value of the field TTL in some units, such value will allow to pass to packages only through some routers (-R) and won’t give to violators of access to Internet resources.
3. After such simple preparations we will receive as a result known TTL values for our subnet (network) which change over time. Agree that the violator about it will know, and it gives the chance to reveal such uninvited guest on value of its TTL. TTL value of the violator will be distinct from TTL values known to us at the moment for our subnet (network).
4. There is a trick. 🙂 For monitoring of TTL values in a network it is possible to use the various software (analyzers of packages with a filtration on values of the fields TTL known to us; IDS, IPS with the corresponding written addition) which will trace not valid values of the field TTL in packages and to give us information on the violator, and also there will be a possibility on automatic blocking of the violator from means of preventive reaction. The additional filtration is carried out: on a flag of SYN (TCP) or on demand on connection (NEW); for UDP on demand on NEW connection, for a valid range of a network.
5. After identification of the violator it is possible to use station of management of a network (SNMP) for search this on ports of our switchboards on values of its MAC and IP addresses.
6. We go to the violator and we manage court just.

As you already understood, this way does search of the violator in a local network quite trivial.

It is all information which I wanted to share with you, dear readers of my blog.

I pay your attention, dear visitors, when using a material of this article or its part, the direct reference on this article is obligatory. All rights to this article, including intellectual, belong to the author of this site.

If you were interested by this article, please, extend the reference to this article through the acquaintances.

UPD: I hope readers know about boundary values for the field TTL for local and global networks. We do not forget as about influence of a flag of TTL on routing of packages, when passing package through routers, but it is care of providers which are obliged to make corresponding change of some fields of passable transit packages, such as TTL, ToS according to requirements of the higher telecommunication companies. Special attention we do not forget to turn on multicastes, аникаст a traffic.

UPD2: I pay attention that this algorithm allows to reveal and such scourge of computer networks, as generators of packages, to within a segment, and then to port (search in a segment will be not difficult if to involve traffic mirroring on the operated equipment or even manually). 😉 there are also other applications of this algorithm which allow to deduce level of protection of computer networks on qualitatively new level. But about it later.



Обсуждение закрыто.