TTL Caging: How to Fight Malware Using Reduced TTL Values

My buddy and co-worker Steve Crapo (pronounced CRAY-poe) recently told me about an idea he had a while back about how to keep malware on your network from talking to the Internet. The idea is so simple and beautiful I just had to share it.

As we all know, malware does bad things; that’s why it’s not called benware. And one of the most important aspects of malware functionality is communication back to home base. So, whatever it’s doing, e.g. capturing passwords, harvesting data from your network, etc — malware has to get its loot back to whomever’s controlling it.

That’s where Steve’s idea comes in.

Lower the TTL of your corporate machines (except your content-inspecting proxy) to the depth of your internal network. So any traffic leaving your network that is destined for the Internet simply gets dropped by your border router — unless it uses (and therefore gets inspected by) your proxy.

You could also supplement the system by dropping all outgoing traffic at the firewall that doesn’t have a TTL of less than 1 and/or dropping all Internet-based traffic not coming from the proxy itself. This would help catch the stragglers that are running off of default installs and don’t have the reduced TTL setting in place.

There are ways around this technique, of course, but this fact doesn’t take away from its elegance. In an environment where information security has the pull to both change the default TTL of corporate assets and require them to use the corporate proxy, this solution is almost too elegant to pass up.: