Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
FRAGROUTER(8)		    System Manager's Manual		 FRAGROUTER(8)

NAME
       fragrouter - network intrusion detection	evasion	toolkit

SYNOPSIS
       fragrouter [ -i interface ] [ -p	] [ -g hop ] [ -G hopcount ] ATTACK

DESCRIPTION
       Fragrouter is a program for routing network traffic in such a way as to
       elude most network intrusion detection systems.

       Most attacks implemented	correspond to those listed in the Secure  Net-
       works  ``Insertion, Evasion, and	Denial of Service: Eluding Network In-
       trusion Detection'' paper of January 1998.

OPTIONS
       -i     Specify the interface to accept packets on.

       -p     Preserve the entire protocol header in the first fragment.  This
	      is  useful  in bypassing packet filters that deny	short IP frag-
	      ments.

       -g     Specify a	hop along a loose source routed	path. Can be used more
	      than once	to build a chain of hop	points.

       -G     Positions	the "hop counter" within the list of hosts in the path
	      of a source routed packet. Should	be a multiple of 4. Can	be set
	      past the length of the loose source routed path to implement An-
	      thony Osborne's Windows IP source	routing	 attack	 of  September
	      1999.

       The  following  attack  options	are  mutually exclusive	- you may only
       specify one type	of attack to run at a time.

       -B1    baseline-1: Normal IP forwarding.

       -F1    frag-1: Send data	in ordered 8-byte IP fragments.

       -F2    frag-2: Send data	in ordered 24-byte IP fragments.

       -F3    frag-3: Send data	in ordered 8-byte IP fragments,	with one frag-
	      ment sent	out of order.

       -F4    frag-4:  Send  data  in ordered 8-byte IP	fragments, duplicating
	      the penultimate fragment in each packet.

       -F5    frag-5: Send data	in out of order	8-byte IP fragments, duplicat-
	      ing the penultimate fragment in each packet.

       -F6    frag-6:  Send  data  in ordered 8-byte IP	fragments, sending the
	      marked last fragment first.

       -F7    frag-7: Send data	in ordered  16-byte  IP	 fragments,  preceding
	      each  fragment  with  an 8-byte null data	fragment that overlaps
	      the latter half of it. This amounts to  the  forward-overlapping
	      16-byte  fragment	 rewriting  the	null data back to the real at-
	      tack.

       -T1    tcp-1: Complete TCP handshake, send fake FIN and RST  (with  bad
	      checksums) before	sending	data in	ordered	1-byte segments.

       -T3    tcp-3:  Complete TCP handshake, send data	in ordered 1-byte seg-
	      ments, duplicating the penultimate segment of each original  TCP
	      packet.

       -T4    tcp-4:  Complete TCP handshake, send data	in ordered 1-byte seg-
	      ments, sending an	additional 1-byte segment which	 overlaps  the
	      penultimate segment of each original TCP packet with a null data
	      payload.

       -T5    tcp-5: Complete TCP handshake, send data in ordered 2-byte  seg-
	      ments,  preceding	 each  segment with a 1-byte null data segment
	      that overlaps the	latter half of it. This	amounts	 to  the  for-
	      ward-overlapping	2-byte segment rewriting the null data back to
	      the real attack.

       -T7    tcp-7: Complete TCP handshake, send data in ordered 1-byte  seg-
	      ments interleaved	with 1-byte null segments for the same connec-
	      tion but with drastically	different sequence numbers.

       -T8    tcp-8: Complete TCP handshake, send data in ordered 1-byte  seg-
	      ments with one segment sent out of order.

       -T9    tcp-9:  Complete TCP handshake, send data	in out of order	1-byte
	      segments.

       -C2    tcbc-2: Complete TCP handshake, send data	in ordered 1-byte seg-
	      ments  interleaved  with SYN packets for the same	connection pa-
	      rameters.

       -C3    tcbc-3: Do not complete TCP handshake, but send null data	in or-
	      dered  1-byte  segments  as if one had occured. Then, complete a
	      TCP handshake with same connection parameters, and send the real
	      data in ordered 1-byte segments.

       -R1    tcbt-1: Complete TCP handshake, shut connection down with	a RST,
	      re-connect with drastically different sequence numbers and  send
	      data in ordered 1-byte segments.

       -I2    ins-2:  Complete TCP handshake, send data	in ordered 1-byte seg-
	      ments but	with bad TCP checksums.

       -I3    ins-3: Complete TCP handshake, send data in ordered 1-byte  seg-
	      ments but	with no	ACK flag set.

       -M1    misc-1:  Thomas  Lopatic's Windows NT 4 SP2 IP fragmentation at-
	      tack of July 1997	 (see  http://www.dataprotect.com/ntfrag/  for
	      details).	This attack has	only been implemented for UDP.

       -M2    misc-2:  John McDonald's Linux IP	chains IP fragmentation	attack
	      of July 1998 (see	http://www.dataprotect.com/ipchains/  for  de-
	      tails). This attack has only been	implement for TCP and UDP.

SEE ALSO
       tcpdump(8), tcpreplay(8), pcap(3), libnet(3)

AUTHOR
       Dug Song, Anzen Computing.

       The current version is available	via HTTP:

	      http://www.anzen.com/research/nidsbench/

BUGS
       IP  options  will carry across all fragments of a packet. Fragrouter is
       not smart enough	to determine which IP options are valid	 only  in  the
       first fragment. This is considered a feature, not a bug.	:-)

       Similarly,  TCP	options	 will carry across all segments	of a split TCP
       packet -	except for null	data packets preceding	a  forward  overwrite,
       which lack any TCP options in order to elude TCP	PAWS elimination.

       Please send bug reports to nidsbench@anzen.com.

				 26 April 1999			 FRAGROUTER(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SEE ALSO | AUTHOR | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=fragrouter&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help