The following is a really great article by Jon Langemak examining the differences in router behavior when using eBGP multihop vs. eBGP ttl-security.
http://www.dasblinkenlichten.com/ebgp-multihop-vs-ttl-security/
Check it out, it is well worth the read.
By default, eBGP packets are sent with a TTL = 1, because we assume a directly-connected peer. If the peer is a known number of hops away, we can use the ebgp-multihop command to increase that base TTL to account for that number of hops, so our packets arrive with a TTL = 1 and don’t expire in transit. Using this knowledge of the default state, if I am an attacker and I know how many hops away from your router I am, I can craft packets that should wind up at your doorstep with a TTL = 1 that you might inspect and process, which opens a potential DoS opportunity (assuming we aren’t using neighbor passwords as well, which is pretty common).
TTL-Security takes the inverse approach: both sides of the peer relationship set the base TTL to 255, we tell them how many hops away from each other they are, and they look to see that the TTL is now decremented by that number of hops; so, a peer 3 hops away now expects a TTL = 252 (255-3), for example, instead of 1. This makes the above-mentioned DoS scenario much more impractical since the routers are now basing BGP packet digestion on math that only the peers are aware of as opposed to a well-known default value.
CCIE #TBD 