Using abnormal TTL values to detect malicious IP packets
نویسنده
چکیده
In general, an IP packet passes through less than 30 routers before it reaches a destination host. According to our observations, some IP packets have an abnormal time-to-live (TTL) value that is decreased by more than 30 increments from the initial TTL. These packets are likely to be generated by special software. We assume that IP packets with strange TTL values are malicious. This study investigates this conjecture through several experiments, and the results show that malicious packets can be discriminated from legitimate ones by observing only TTL values.
منابع مشابه
Covert Channels in the IP Time To Live Field
Covert channels are used for the secret transfer of information. Unlike encryption, which only protects the information from unauthorised observers, covert channels aim to hide the very existence of the communication. The huge amount of data and vast number of different network protocols in the Internet makes it an ideal high-capacity vehicle for covert communication. Covert channels pose a ser...
متن کاملAbnormal IP Packets on 3G Mobile Data Networks
As the mobile Internet has become widespread in recent years, communication based on mobile networks is increasing. As a result, security threats have been posed with regard to the abnormal traffic of mobile networks, but mobile security has been handled with focus on threats posed by mobile malicious codes, and researches on security threats to the mobile network itself have not attracted much...
متن کاملHop-Count Filtering: A Defense Against Spoofed IP Traffic
IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to (1) conceal flooding sources and dilute localities in flooding traffic, and (2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming invol...
متن کاملFusion of Detection, Traffic Control and Traceback Technique for DDoS attacks r
Denial-of-Service (DoS) and Distributed Denial-ofService (DDoS) attacks typically generate huge amount of adverse traffic to a target server and make the server unavailable for services. Several works had put lots of efforts to find novel and effective techniques to detect and prevent such attacks. However, most studies were conducted using offline data or via simulation. Only a few studies add...
متن کاملOn the Feasibility of TTL-Based Filtering for DRDoS Mitigation
A major disturbance for network providers in recent years have been Distributed Reflective Denial-of-Service (DRDoS) attacks. In such an attack, the adversary spoofs the IP address of a victim and sends a flood of tiny packets to vulnerable services. The services then respond to spoofed the IP, flooding the victim with large replies. Led by the idea that an attacker cannot fabricate the number ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2012