Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
FRAGROUTE(8)		    System Manager's Manual		  FRAGROUTE(8)

NAME
       fragroute - intercept, modify, and rewrite egress traffic

SYNOPSIS
       fragroute [-f file] host

DESCRIPTION
       fragroute  intercepts,  modifies,  and rewrites egress traffic destined
       for the specified host, implementing most of the	attacks	 described  in
       the  Secure Networks ``Insertion, Evasion, and Denial of	Service: Elud-
       ing Network Intrusion Detection'' paper of January 1998.

       The options are as follows:

       -f file
	      Read  ruleset  from  the	specified  file	 instead  of  /usr/lo-
	      cal/etc/fragroute.conf.

       Unlike  fragrouter(8),  this  program  only affects packets originating
       from the	local machine destined for a remote host.  Do  not  enable  IP
       forwarding on the local machine.

RULESET
       fragroute  is composed of several modules which enable various configu-
       ration directives. Each directive operates on a	logical	 packet	 queue
       handed to it by the previous rule.

       # string	...
	      Ruleset comment, no-op.

       delay first|last|random ms
	      Delay  the  delivery  of the first, last,	or a randomly selected
	      packet from the queue by ms milliseconds.

       drop first|last|random prob-%
	      Drop the first, last, or a randomly  selected  packet  from  the
	      queue with a probability of prob-% percent.

       dup first|last|random prob-%
	      Duplicate	 the  first,  last, or a randomly selected packet from
	      the queue	with a probability of prob-% percent.

       echo string ...
	      Echo the string argument(s) to standard output.

       ip_chaff	dup|opt|ttl
	      Interleave IP packets in the queue  with	duplicate  IP  packets
	      containing different payloads, either scheduled for later	deliv-
	      ery, carrying invalid IP options,	or bearing short  time-to-live
	      values.

       ip_frag size [old|new]
	      Fragment	each  packet in	the queue into size-byte IP fragments,
	      preserving the complete transport	header in the first  fragment.
	      Optional fragment	overlap	may be specified as old	or new,	to fa-
	      vor newer	or older data.

       ip_opt lsrr|ssrr	ptr ip-addr ...
	      Add IP options to	every packet, to enable	loose or strict	source
	      routing.	The route should be specified as list of IP addresses,
	      and a bytewise pointer into them (e.g. the minimum ptr value  is
	      4).

       ip_ttl ttl
	      Set the IP time-to-live value of every packet to ttl.

       ip_tos tos
	      Set the IP type-of-service bits for every	packet to tos.

       order random|reverse
	      Re-order the packets in the queue	randomly, or in	reverse.

       print  Print each packet	in the queue in	tcpdump-style format.

       tcp_chaff cksum|null|paws|rexmit|seq|syn|ttl
	      Interleave TCP segments in the queue with	duplicate TCP segments
	      containing different payloads, either bearing invalid TCP	check-
	      sums,  null  TCP	control	flags, older TCP timestamp options for
	      PAWS elimination,	faked retransmits scheduled for	 later	deliv-
	      ery,  out-of-window sequence numbers, requests to	re-synchronize
	      sequence numbers mid-stream, or short time-to-live values.

       tcp_opt mss|wscale size
	      Add TCP options to every TCP packet, to set the maximum  segment
	      size or window scaling factor.

       tcp_seg size [old|new]
	      Segment  each  TCP  data segment in the queue into size-byte TCP
	      segments.	Optional segment overlap may be	specified  as  old  or
	      new, to favor newer or older data.

EXAMPLES
       Fragment	 all traffic to	a Windows host into forward-overlapping	8-byte
       fragments (favoring older data),	reorder	randomly, and print  to	 stan-
       dard output:

	    ip_frag 8 old
	    order random
	    print

       Segment all TCP data to a host into forward-overlapping 4-byte segments
       (favoring newer data), interleave with overwriting, random  chaff  seg-
       ments  bearing  older  timestamp	 options for PAWS elimination, reorder
       randomly, and print to standard output:

	    tcp_seg 4 new
	    tcp_chaff paws
	    order random
	    print

FILES
       /usr/local/etc/fragroute.conf
	      Default configuration ruleset

SEE ALSO
       fragtest(8)

AUTHOR
       Dug Song	<dugsong@monkey.org>

BUGS
       It is entirely possible to mangle your outgoing traffic so  badly  that
       no remote TCP/IP	stack will accept it. K.I.S.S.

								  FRAGROUTE(8)

NAME | SYNOPSIS | DESCRIPTION | RULESET | EXAMPLES | FILES | SEE ALSO | AUTHOR | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=fragroute&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help