>In addition to this, and to controlling DHCP, as another poster mentioned, >there is an audit method that may take some time, but can be automated to some >degree. > >It's an interesting use of TTLs I saw discussed on another list - you have to >keep track of the TTLs by the hosts on your network and notice the anomalies. >Most OSes use a starting >TTL of either 64 or 128. If you notice packets with >a TTL of 63 or 127 coming from a particular IP address through your >router/firewall, you have an indicator that that IP address is a >router or >NAT device itself. I would also suspect that if you see mixed TTLs coming from >a single IP address, that might also signal something to investigate. > >Kurt
And while this is correct if it goes through a router, I don't think a simple access point will change (decrement) the TTL. I remember Mikrotik would let you override the TTL to 1 so that any router hanging off would discard the packets. That is unless they used another Mikrotik router that would simple modify the TTL again. They did this in a mangle rule. (Sorry I correct a fat finger issue above) --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
