Hop count analysis / TTL based filtering

[Mornincupofhate]

I've come across a few articles online published about combating IP spoofing using TTL based analysis/filtering. Basically the packet arrives, then the server grabs the TTL. The server then pings that IP address and compares TTL values. If they're different, then the packet is dropped.

 

Is there any real way to implement this in servers today? Or is the source code publicly available online? (I couldn't find shit about it besides articles)

Hope someone knows the answer to this.

[brwainer]

I don't have any more information about this, but there are a couple of issues I've seen with this:

• Increased latency for starting a connection
• increased server resources for each connection
• Many clients don't respond to pings
• Any client that is behind NAT, or especially CGNAT, will have a different (lower) TTL in the request, than in your ping response, since the ping response will come from the last level of NAT.

This seems to be at the level of "research project" only at this time.

[Mornincupofhate]

Just now, brwainer said:

Many clients don't respond to pings

Ah fuck, completely forgot about home nets denying icmp.

 

Well here's my case. I help run a couple of SRCDS servers and there's an application layer exploit out there which uses spoofed addresses (next to impossible to block) and they're able to lag it for as long as they want.

 

Any idea on how to mitigate this kind of attack?

[brwainer]

58 minutes ago, Mornincupofhate said:

Ah fuck, completely forgot about home nets denying icmp.

 

Well here's my case. I help run a couple of SRCDS servers and there's an application layer exploit out there which uses spoofed addresses (next to impossible to block) and they're able to lag it for as long as they want.

 

Any idea on how to mitigate this kind of attack?

not really... if it was a TCP connection then I'd say that you could look into SYN cookies https://en.wikipedia.org/wiki/SYN_cookies or TCP cookies https://en.wikipedia.org/wiki/TCP_Cookie_Transactions - I haven't look at the Source engine but I'm assuming that it prefers UDP connections. If you could use SYN cookies (or even just TCP in general), that would prevent the spoofed addresses from making it up into the application layer. I don't really know anything similar for UDP cookies. Seems like a bad application layer design if a UDP packet with a spoofed address is able to cause the server to lag. Or does is the spoofed address usually one for another player, causing that player's connection to have issues?

[Mornincupofhate]

3 minutes ago, brwainer said:

not really... if it was a TCP connection then I'd say that you could look into SYN cookies https://en.wikipedia.org/wiki/SYN_cookies or TCP cookies https://en.wikipedia.org/wiki/TCP_Cookie_Transactions - I haven't look at the Source engine but I'm assuming that it prefers UDP connections. If you could use SYN cookies (or even just TCP in general), that would prevent the spoofed addresses from making it up into the application layer. I don't really know anything similar for UDP cookies. Seems like a bad application layer design if a UDP packet with a spoofed address is able to cause the server to lag. Or does is the spoofed address usually one for another player, causing that player's connection to have issues?

It lags the entire server. Sometimes crashing it.