Manipulating TTL For Hotspot Data


Most data plans have a very small amount of “hotspot data” allowed, oftentimes when you use up all of your hotspot data the network will throttle your hotspot connection to an excruciatingly slow speed.

That begs the question: How does the cell carrier know what data is coming from your phone, and what data is going through a hotspot?

The short answer is through a piece of metadata associated with each packet called Time to Live (TTL).

What is TTL?

Each packet has a TTL value so that the packet does not bounce around the network forever. Every time a packet goes through another device it decrements the TTL. When the TTL reaches zero the packet is terminated.

So if you have a packet start on your laptop with the default TTL of 64, when it passes through your phone it decrements the value and it becomes 63. This is how the cell carrier can tell the origin of the traffic.

How Can This Be Exploited

If we start the TTL at 65, when it passes through your phone it gets decremented to 64. This TTL value makes it look like the packet originated on your phone.

Changing the TTL on any machine you have root access to is very simple. I only have a Linux computer to test on, so I will only include the commands for a linux computer. Instructions on how to do this on Windows or MacOS should be easy to find with a quick search for “change default ttl on <operating system>”.

On Linux (or at least arch linux) /proc/sys/net/ip_default_ttl is a text file with the default ttl. If you edit this file with something along the lines of sudo echo 65 > /proc/sys/net/ip_default_ttl you can change the time to live.

This change is not persistent. When you restart your computer the file will revert back to 64 and so will the TTL on your packets. If you want have have the change be persistant you can add net.ipv4.ip_default_ttl=65 to /etc/sysctl.conf.