fragrouter

FRAGROUTER(8)               System Manager's Manual              FRAGROUTER(8)



NAME
       fragrouter - network intrusion detection evasion toolkit

SYNOPSIS
       fragrouter [ -i interface ] [ -p ] [ -g hop ] [ -G hopcount ] ATTACK

DESCRIPTION
       Fragrouter is a program for routing network traffic in such a way as to
       elude most network intrusion detection systems.

       Most attacks implemented correspond to those listed in the Secure
       Networks ``Insertion, Evasion, and Denial of Service: Eluding Network
       Intrusion Detection'' paper of January 1998.

OPTIONS
       -i     Specify the interface to accept packets on.

       -p     Preserve the entire protocol header in the first fragment. This
              is useful in bypassing packet filters that deny short IP
              fragments.

       -g     Specify a hop along a loose source routed path. Can be used more
              than once to build a chain of hop points.

       -G     Positions the "hop counter" within the list of hosts in the path
              of a source routed packet. Should be a multiple of 4. Can be set
              past the length of the loose source routed path to implement
              Anthony Osborne's Windows IP source routing attack of September
              1999.

       The following attack options are mutually exclusive - you may only
       specify one type of attack to run at a time.

       -B1    baseline-1: Normal IP forwarding.

       -F1    frag-1: Send data in ordered 8-byte IP fragments.

       -F2    frag-2: Send data in ordered 24-byte IP fragments.

       -F3    frag-3: Send data in ordered 8-byte IP fragments, with one
              fragment sent out of order.

       -F4    frag-4: Send data in ordered 8-byte IP fragments, duplicating
              the penultimate fragment in each packet.

       -F5    frag-5: Send data in out of order 8-byte IP fragments,
              duplicating the penultimate fragment in each packet.

       -F6    frag-6: Send data in ordered 8-byte IP fragments, sending the
              marked last fragment first.

       -F7    frag-7: Send data in ordered 16-byte IP fragments, preceding
              each fragment with an 8-byte null data fragment that overlaps
              the latter half of it. This amounts to the forward-overlapping
              16-byte fragment rewriting the null data back to the real
              attack.

       -T1    tcp-1: Complete TCP handshake, send fake FIN and RST (with bad
              checksums) before sending data in ordered 1-byte segments.

       -T3    tcp-3: Complete TCP handshake, send data in ordered 1-byte
              segments, duplicating the penultimate segment of each original
              TCP packet.

       -T4    tcp-4: Complete TCP handshake, send data in ordered 1-byte
              segments, sending an additional 1-byte segment which overlaps
              the penultimate segment of each original TCP packet with a null
              data payload.

       -T5    tcp-5: Complete TCP handshake, send data in ordered 2-byte
              segments, preceding each segment with a 1-byte null data segment
              that overlaps the latter half of it. This amounts to the
              forward-overlapping 2-byte segment rewriting the null data back
              to the real attack.

       -T7    tcp-7: Complete TCP handshake, send data in ordered 1-byte
              segments interleaved with 1-byte null segments for the same
              connection but with drastically different sequence numbers.

       -T8    tcp-8: Complete TCP handshake, send data in ordered 1-byte
              segments with one segment sent out of order.

       -T9    tcp-9: Complete TCP handshake, send data in out of order 1-byte
              segments.

       -C2    tcbc-2: Complete TCP handshake, send data in ordered 1-byte
              segments interleaved with SYN packets for the same connection
              parameters.

       -C3    tcbc-3: Do not complete TCP handshake, but send null data in
              ordered 1-byte segments as if one had occured. Then, complete a
              TCP handshake with same connection parameters, and send the real
              data in ordered 1-byte segments.

       -R1    tcbt-1: Complete TCP handshake, shut connection down with a RST,
              re-connect with drastically different sequence numbers and send
              data in ordered 1-byte segments.

       -I2    ins-2: Complete TCP handshake, send data in ordered 1-byte
              segments but with bad TCP checksums.

       -I3    ins-3: Complete TCP handshake, send data in ordered 1-byte
              segments but with no ACK flag set.

       -M1    misc-1: Thomas Lopatic's Windows NT 4 SP2 IP fragmentation
              attack of July 1997 (see http://www.dataprotect.com/ntfrag/ for
              details). This attack has only been implemented for UDP.

       -M2    misc-2: John McDonald's Linux IP chains IP fragmentation attack
              of July 1998 (see http://www.dataprotect.com/ipchains/ for
              details). This attack has only been implement for TCP and UDP.

SEE ALSO
       tcpdump(8), tcpreplay(8), pcap(3), libnet(3)

AUTHOR
       Dug Song, Anzen Computing.

       The current version is available via HTTP:

              http://www.anzen.com/research/nidsbench/

BUGS
       IP options will carry across all fragments of a packet. Fragrouter is
       not smart enough to determine which IP options are valid only in the
       first fragment. This is considered a feature, not a bug. :-)

       Similarly, TCP options will carry across all segments of a split TCP
       packet - except for null data packets preceding a forward overwrite,
       which lack any TCP options in order to elude TCP PAWS elimination.

       Please send bug reports to nidsbench@anzen.com.



                                 26 April 1999                   FRAGROUTER(8)