TTL is decremented by each router hop, not by hosts.

When TTL hits 0:

• Packet is discarded
• Router sends:
  • ICMP Time Exceeded (type 11)

Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph

Goal

• Evade certain detection devices
• Perform hop-based fingerprinting
• Conduct stealth scanning (TTL-limited probing)

Red Flags

• If you suddenly see TTL = 2 or 3 internally → suspicious.

Filters

# Detect Very Low TTL Values
ip.ttl <= 5

# TTL-Limited SYN Scans
tcp.flags.syn == 1 && ip.ttl <= 5

# Correlate with ICMP Time Exceeded (indicate TTL expiration along path)
icmp.type == 11

Killchain

• Attacker crafts packet with intentionally low TTL
• Packet traverses routers decrementing TTL
• Packet reaches target before inspection device
• Target responds normally (SYN-ACK / RST)
• IDS/IPS may miss original packet due to placement
• Attacker gathers reconnaissance data

Defense

• Drop packets with abnormally low TTL at edge
• Normalize TTL values at perimeter
• Ensure IDS placement is in-path
• Detect TTL anomalies relative to baseline