TTL Examples

TTL Examples

[hareram]

Hi all

iam going through the doc from the following site

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#RCTEST-IPTABLESTXT

The TTL target is used to change the TTL (Time To Live) field of the packet. 
We could tell packets to only have a specific TTL and so on. One good reason 
for this could be that we don't want to give ourself away to nosy Internet 
Service Providers. Some Internet Service Providers do not like users running 
multiple computers on one single connection, and there are some Internet 
Service Providers known to look for a single host generating different TTL 
values, and take this as one of many signs of multiple computers connected 
to a single connection.

I was looking for the option above said in the docs

can some one give me the example script.

i would like to restrict other side use only one PC, he/she should not use 
any proxy server or any other NAT.



hare

Re: TTL Examples

[Georgi Alexandrov]

hareram wrote:

> Hi all
>
> iam going through the doc from the following site
>
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#RCTEST-IPTABLESTXT 
>
>
> The TTL target is used to change the TTL (Time To Live) field of the 
> packet. We could tell packets to only have a specific TTL and so on. 
> One good reason for this could be that we don't want to give ourself 
> away to nosy Internet Service Providers. Some Internet Service 
> Providers do not like users running multiple computers on one single 
> connection, and there are some Internet Service Providers known to 
> look for a single host generating different TTL values, and take this 
> as one of many signs of multiple computers connected to a single 
> connection.
>
> I was looking for the option above said in the docs
>
> can some one give me the example script.
>
> i would like to restrict other side use only one PC, he/she should not 
> use any proxy server or any other NAT.
>
This is pointless ... as the user on the other side can increase their 
TTL value the same way you decreased it :-)
refs: #TTLTARGET @ iptables-tutorial.frozentux.net

regards,
Georgi Alexandrov

Re: TTL Examples

[Taylor, Grant]

> This is pointless ... as the user on the other side can increase their 
> TTL value the same way you decreased it :-)

Not exactly.

If you use the "--ttl-dec" yes it would be sort of futile as the client on the other side could artificially inflate his / her TTL.  HOWEVER if you use the "--ttl-set" then you could set the TTL to be what ever you want irregardless of what it was set to when it came in to your router.



Grant. . . .

Re: TTL Examples

[Taylor, Grant]

> can some one give me the example script.

I don't think there is really a script per say that will do this.  As quite often such systems are monitoring traffic remembering what recent values were and looking for a difference in the norm as a sign of something funny going on.

> i would like to restrict other side use only one PC, he/she should not 
> use any proxy server or any other NAT.

Rather than doing something to prevent the client from using multiple systems behind some sort of NAT and / or proxy I've found it much easier (technically and on my concious) and reliable to just allow the client to have as may systems as they want and just bill based on bandwidth.  If the client decides that they want to do this then they can do so, they will just have to distribute the bandwidth costs.

If you really want to do this you could set something up that would limit the number of connections that any given IP could have initiated at one time.  However I think this could EASILY break a LOT of things.  If you REALLY want to put a system in place and have it try to guess if there are multiple clients behind a system you should probably look at the sequence numbers that are coming out in packets too as a single system should have sequence numbers that are incrementing higher, not necessarily in sequential as in 123, 124, 125, as in the current sequence number should be higher than the previous and the next sequence number should be larger than the current.  The sequence numbers should not jump all over the scale as this is another sign that there are multiple systems behind the firewall.  In fact quite often if you have enough sequence numbers you can even guess fairly close as to
  how many systems are behind the firewall.



Grant. . . .

Re: TTL Examples

[Jason Opperisano]

On Wed, Apr 20, 2005 at 05:32:23PM -0500, Taylor, Grant wrote:
> If you 
> REALLY want to put a system in place and have it try to guess if there are 
> multiple clients behind a system you should probably look at the sequence 
> numbers that are coming out in packets too as a single system should have 
> sequence numbers that are incrementing higher, not necessarily in 
> sequential as in 123, 124, 125, as in the current sequence number should be 
> higher than the previous and the next sequence number should be larger than 
> the current.  The sequence numbers should not jump all over the scale as 
> this is another sign that there are multiple systems behind the firewall.  
> In fact quite often if you have enough sequence numbers you can even guess 
> fairly close as to how many systems are behind the firewall.

which is why many firewalls nowadays (the one we lovingly discuss on
this list not included) will randomize ISNs on the packets passing
through it.

-j

--
"Pillsbury Doughboy: Nothing says "I Love You" quite like
 Pill... hey! What the hell are you doing you crazy bitch?"
        --Family Guy