fragrouter(8)

NAME

fragrouter - network intrusion detection evasion toolkit

SYNOPSIS

fragrouter [ -i interface ] [  -p  ]  [  -g  hop  ]  [  -G
hopcount ] ATTACK

DESCRIPTION

Fragrouter is a program for routing network traffic in
such a way as to elude most network intrusion detection systems.
Most attacks implemented correspond to those listed in the
Secure Networks ``Insertion, Evasion, and Denial of Service:
Eluding Network Intrusion Detection'' paper of January 1998.

OPTIONS

-i Specify the interface to accept packets on.

-p Preserve the entire protocol header in the first
fragment. This is useful in bypassing packet filters that deny
short IP fragments.
-g Specify a hop along a loose source routed path. Can
be used more than once to build a chain of hop points.
-G Positions the "hop counter" within the list of
hosts in the path of a source routed packet. Should be a multiple
of 4. Can be set past the length of the loose source routed path
to implement Anthony Osborne's Windows IP source routing attack
of September 1999.
The following attack options are mutually exclusive - you
may only specify one type of attack to run at a time.
-B1 baseline-1: Normal IP forwarding.
-F1 frag-1: Send data in ordered 8-byte IP fragments.
-F2 frag-2: Send data in ordered 24-byte IP fragments.
-F3 frag-3: Send data in ordered 8-byte IP fragments,
with one fragment sent out of order.
-F4 frag-4: Send data in ordered 8-byte IP fragments,
duplicating the penultimate fragment in each packet.
-F5 frag-5: Send data in out of order 8-byte IP frag
ments, duplicating the penultimate fragment in each packet.
-F6 frag-6: Send data in ordered 8-byte IP fragments,
sending the marked last fragment first.
-F7 frag-7: Send data in ordered 16-byte IP fragments,
preceding each fragment with an 8-byte null data fragment that
overlaps the latter half of it. This amounts to the forward-over
lapping 16-byte fragment rewriting the null data back to the real
attack.
-T1 tcp-1: Complete TCP handshake, send fake FIN and
RST (with bad checksums) before sending data in ordered 1-byte
segments.
-T3 tcp-3: Complete TCP handshake, send data in ordered
1-byte segments, duplicating the penultimate segment of each
original TCP packet.
-T4 tcp-4: Complete TCP handshake, send data in ordered
1-byte segments, sending an additional 1-byte segment which over
laps the penultimate segment of each original TCP packet with a
null data payload.
-T5 tcp-5: Complete TCP handshake, send data in ordered
2-byte segments, preceding each segment with a 1-byte null data
segment that overlaps the latter half of it. This amounts to the
forward-overlapping 2-byte segment rewriting the null data back
to the real attack.
-T7 tcp-7: Complete TCP handshake, send data in ordered
1-byte segments interleaved with 1-byte null segments for the
same connection but with drastically different sequence numbers.
-T8 tcp-8: Complete TCP handshake, send data in ordered
1-byte segments with one segment sent out of order.
-T9 tcp-9: Complete TCP handshake, send data in out of
order 1-byte segments.
-C2 tcbc-2: Complete TCP handshake, send data in or
dered 1-byte segments interleaved with SYN packets for the same
connection parameters.
-C3 tcbc-3: Do not complete TCP handshake, but send
null data in ordered 1-byte segments as if one had occured. Then,
complete a TCP handshake with same connection parameters, and
send the real data in ordered 1-byte segments.
-R1 tcbt-1: Complete TCP handshake, shut connection
down with a RST, re-connect with drastically different sequence
numbers and send data in ordered 1-byte segments.
-I2 ins-2: Complete TCP handshake, send data in ordered
1-byte segments but with bad TCP checksums.
-I3 ins-3: Complete TCP handshake, send data in ordered
1-byte segments but with no ACK flag set.
-M1 misc-1: Thomas Lopatic's Windows NT 4 SP2 IP frag
mentation attack of July 1997 (see
http://www.dataprotect.com/ntfrag/ for details). This attack has
only been implemented for UDP.
-M2 misc-2: John McDonald's Linux IP chains IP fragmen
tation attack of July 1998 (see
http://www.dataprotect.com/ipchains/ for details). This attack
has only been implement for TCP and UDP.

SEE ALSO

tcpdump(8), tcpreplay(8), pcap(3), libnet(3)

AUTHOR

Dug Song, Anzen Computing.

The current version is available via HTTP:
http://www.anzen.com/research/nidsbench/

BUGS

IP options will carry across all fragments of a packet.
Fragrouter is not smart enough to determine which IP options are
valid only in the first fragment. This is considered a feature,
not a bug. :-)
Similarly, TCP options will carry across all segments of a
split TCP packet - except for null data packets preceding a for
ward overwrite, which lack any TCP options in order to elude TCP
PAWS elimination.
Please send bug reports to nidsbench@anzen.com.

26 April 1999

FRAGROUTER(8)

Copyright © 2010-2025 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout