As we saw in the previous sections, whenever a transit router is performing a lookup in the IP header, it will decrement the IP TTL by 1 before forwarding the packet out to the next hop router. If a router receives a packet with a TTL of 1 and if the destination IP address is not its own address, the default behavior is to drop the packet and generate an ICMP error message of type 11 (time to live exceeded). This behavior ensures that a packet in a routing loop does not bounce between nodes forever, but will be dropped after 255 iterations (the maximum value of TTL that can be set is 255):

The Expert Info option of Wireshark provides a warning that there are packets received with a TTL less than 5 and highlights those packets, as shown the preceding screenshot. This can be viewed by doing the following:

1. Go to Analyze and click the Expert Info option
2. Click the Warning or Notes section to see more details

IP TTL can be used by malicious attackers to trigger a DoS attack by sending a large volume of packets with a low TTL value (less than 5). Transit nodes will keep punting the packet to the CPU to generate ICMP error messages, which may result in hogging the CPU. There are various options available, such as a CPU protection mechanism or limiting the traffic rate for the CPU, that can help mitigate such attacks.