🌲 treerockets blog

Using TTL for identification and bypassing limits

Before we're using TTL for ... identification ... and other stuff, we should understand what it's for. The Time to Live (TTL) field in the TCP header is a 8-bit value that determines how long a packet can remain in the network before it is discarded. It is an important aspect of the Transmission Control Protocol (TCP), which is a key part of the TCP/IP model used to transmit data over the internet.

The TTL field is used to prevent packets from becoming "lost" in the network by setting a limit on the number of hops (routers) that a packet can pass through before it is discarded. This helps to prevent packets from circulating indefinitely, which can cause network congestion and slow down the transmission of data.

Using this field it is also possible in some cases to "find" unknown devices in a network. In my tech-support-days, more often than I'd like to admit some "unknown" device was the root cause for odd network issues. If you have a capture from point A and B - and there is all of a sudden a lower TTL - you know there is something in the way. By design the TTL value is decremented by one each time the packet passes through a router. When the TTL value reaches zero, the router discards the packet and sends an error message back to the sender.

When a packet is transmitted, the TTL value is set to a specific number, typically 64 or 128. The exact value can vary depending on the operating system or network device being used. In addition to the TTL field, the TCP header also includes other important fields such as the source and destination port numbers, the sequence and acknowledgement numbers, and the flags field. These fields are used to control the transmission of data and to ensure that packets are delivered accurately and efficiently.

Overall, the TTL field in the TCP header is an important aspect of the TCP/IP model and is used to prevent packets from becoming "lost" and bounce around forever in a network - and can help troubleshoot network issues.

Bypassing login issues, limits - whats the point?

Not too long ago, linux clients in World of Warcraft had a funky issue - rendering them unable to log in. The root cause is essentially DDOS prevention on Blizzard Enterntainments end. You would have been able start up the game and see the server list - but that was it. Joining a server was impossible.

In some scenarios, limitations are set by providers using TTL. Since we know how this works, it is theoretically possible to use the Time to Live (TTL) field in the TCP header to bypass such limitations. Be it a gaming service (more below) or an ISP.

You can read into this information whatever you like. Don't do it ... I guess? Read the T&C.

However ... in a very specific example, users found out that this only happens to linux based machines. Surely Blizzard can identify the client OS in any way they want since you are running their code - but why would they want to lock out linux users? They don't want to. It was a side effect and was quickly resolved by Blizzard, but in the meantime it was a very simple solution for users to change the TTL. 128 was a good value since it was default for Windows 10 based machines - none of these had this problem.

To check the current value: sysctl net.ipv4.ip_default_ttl

To change the value: sudo sysctl -w net.ipv4.ip_default_ttl=128

This setting will be reset do default on reboot. It is possible to prevent this - there are next to no drawbacks changing this for almost any user. You can add this to /etc/sysctl.conf or echo 128 > /proc/sys/net/ipv4/ip_default_ttl but it may vary on whatever distro you are on.

####To change TTL in MacOS:

SHOW TTL: sysctl net.inet.ip.ttl SET TTL: sudo sysctl -w net.inet.ip.ttl=64

To change TTL on openWRT

#from a fresh install/reset to defaults  
opkg update && opkg install iptables-mod-ipopt kmod-ipt-ipopt

# flush tables  
iptables -F  
iptables -t nat -F -t mangle  

# apply routing  
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE  
iptables -t mangle -A PREROUTING -j TTL --ttl-set 65  
iptables -A FORWARD -i eth1 -o br-lan -m state --state RELATED,ESTABLISHED -j ACCEPT  
iptables -A FORWARD -i eth1 -o br-lan -j ACCEPT

Identification

It is somewhat possible to use the TTL field in the TCP header to identify the operating system of a device in some cases. This has it's limits but it's a great tool for network troubleshooting.

Here is a very good list

Did you know you can go around the world in about 16 hops?

#TTL #network