The OSPF TTL security check is a mechanism to stop remote OSPF attacks and is based on The Generalized TTL Security Mechanism (GTSM) RFC 5082
Consider the following network:
By default OSPF sends packets with a TTL set to 1 (as can be seen in the capture below). Everytime a packet is routed its TTL is decremented. In the above diagram the attacker is sending a TTL with a value of 2, and using the same source address as R2. When R1 recieves the packet, it decrements the TTL by 1 and sends it to R1. Consquently R1 will recieve the packet and think it is from R2.
The OSPF process may respond to these packets causing potential instability. Even if the packet is meaningless it is still processed by the control plane, and consequently the attacker could cause a denial of service attack by sending large amounts of packets to R1.
The OSPF TTL Security Check sends the packet with a TTL set to 255 and by default will not accept a packet with a TTL less than 255. However an optional parameter can be set to determine by how many counts the TTL can be decremented (set to 1 by default). If this were set to 55 for example, the OSPF process would accept packets with a TTL of 200-255.
R2(config-router)#ttl-security all-interfaces ? hops IP hops <cr> R2(config-router)#ttl-security all-interfaces hops ? <1-254> maximum number of hops allowed R2(config-router)#ttl-security all-interfaces hops 1
The largest possible TTL is 255, so now the attacker is unable to send a larger TTL. For example the attacker would have to send a TTL of 256 in order for R1 to recieve it as 255 (after being decremented by 1 by R2).
Bear in mind that in order for an adjecency to form, all OSPF neighbours require matching TTL values. Implementing the TTL Security Check may therefore cause a neighbour adjacency to drop should the dead timer expire.
The OSPF TTL Security feature can be enabled on the general OSPF router process (for all interfaces) and then selectively disabled. Alternatively it can be just enabled on on selective interfaces directly:
Enabling on all interfaces / disabling selective interfaces:
router ospf 1 ttl-security all-interfaces interface GigabitEthernet1/0 ip ospf ttl-security disable
Enabling on selective interfaces
Router(config-if)#ip ospf ttl-security ? disable disable TTL security check hops IP hops <cr> Router (config-if)#ip ospf ttl-security hops ? <1-254> maximum number of hops allowed
Enabling TTL on all interfaces does not include virtual-links, or OSPF sham links. To enable it on a virtual link, use the area virtual-link ttl-security command. To enable it on a sham link use the area sham-link ttl-security command.
The Traceroute Blog 