Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
TCP6(1)			    General Commands Manual		       TCP6(1)

NAME
       tcp6 - A	security assessment tool for TCP/IPv6 implementations

SYNOPSIS
       tcp6   -i   INTERFACE   [-S   LINK_SRC_ADDR]   [-D  LINK-DST-ADDR]  [-s
       SRC_ADDR[/LEN]]	[-d  DST_ADDR]	[-A  HOP_LIMIT]	 [-y  FRAG_SIZE]   [-u
       DST_OPT_HDR_SIZE]  [-U  DST_OPT_U_HDR_SIZE]  [-H	 HBH_OPT_HDR_SIZE] [-c
       OPEN_TYPE]  [-C	CLOSE_TYPE]  [-P  PAYLOAD_SIZE]	 [-o   SRC_PORT]   [-a
       DST_PORT]  [-X  TCP_FLAGS]  [-q	TCP_SEQ] [-Q TCP_ACK] [-V TCP_URP] [-w
       TCP_WIN]	[-W WINDOW_MODE] [-M WIN_MOD_MODE] [-Z	DATA]  [-N]  [-n]  [-j
       PREFIX[/LEN]]  [-k PREFIX[/LEN]]	[-J LINK_ADDR] [-K LINK_ADDR] [-b PRE-
       FIX[/LEN]]  [-g	PREFIX[/LEN]]  [-B  LINK_ADDR]	[-G   LINK_ADDR]   [-F
       N_SOURCES]  [-T	N_PORTS]  [-f] [-R] [-L] [-l] [-p PROBE_MODE] [-z SEC-
       ONDS] [-r RATE] [-v] [-h]

DESCRIPTION
       tcp6 tool allows	the assessment of IPv6 implementations with respect to
       a  variety  of  attack vectors based on TCP/IPv6	segments. This tool is
       part of the SI6 Networks' IPv6 Toolkit: a security assessment suite for
       the IPv6	protocols.

       tcp6  can  be employed to perform specific TCP connection-establishment
       and connection-termination sequences. For example, it can  be  employed
       to  simulate  a TCP "simultaneous open" scenario	(see the "--open-mode"
       option) or to simulate a	TCP "simultaneous  close"  scenario  (see  the
       "--close-mode"  option).	 It can	be employed to perform a number	of re-
       source-exhaustion attacks against TCP, such  as	SYN-flooding  attacks,
       connection-flooding    attacks	 (see	 the   "--flood-sources"   and
       "--flood-ports" options), etc. Additionally, it can be employed to  ex-
       ploit  attack  vectors  based on	the TCP	window (see the	"--window" op-
       tion).

       tcp6 tool has two modes of operation: active and	listening.  In	active
       mode,  the  tool	attacks	a specific target, while in listening mode the
       tool listens to TCP traffic on the local	network, and launches  an  at-
       tack  in	 response  to such traffic. Active mode	is employed if an IPv6
       Destination Address is specified. Listening mode	 is  employed  if  the
       "-L" option (or its long	counterpart "--listen")	is set.	If both	an at-
       tack target and the "-L"	option are specified, the attack  is  launched
       against	the  specified target, and then	the tool enters	listening mode
       to respond incoming packets with	TCP segments.

       tcp6 supports filtering of  incoming  packets  based  on	 the  Ethernet
       Source  Address,	 the Ethernet Destination Address, the IPv6 Source Ad-
       dress, and the IPv6 Destination Address.	 There are two types  of  fil-
       ters:  "block  filters"	and "accept filters". If any "block filter" is
       specified, and the incoming packet matches any of  those	 filters,  the
       message	is  discarded (and thus	no TCP segments	are sent in response).
       If any "accept filter" is specified, incoming packets  must  match  the
       specified filters in order for the tool to respond with TCP segments.

OPTIONS
       tcp6  takes itS parameters as command-line options. Each	of the options
       can be specified	with a short name (one character preceded with the hy-
       phen  character,	 as  e.g. "-i")	or with	a long name (a string preceded
       with two	hyphen characters, as e.g. "--interface").

       If the tool is instructed to e.g. flood the victim  with	 TCP  segments
       from different sources ("--flood-sources" option), multiple packets may
       need to be generated.

       tcp6 supports IPv6 Extension Headers, including the IPv6	 Fragmentation
       Header,	which  might  be of use	to circumvent layer-2 filtering	and/or
       Network Intrusion Detection Systems  (NIDS).  However,  IPv6  extension
       headers	are  not  employed  by default,	and must be explicitly enabled
       with the	corresponding options.

       -i INTERFACE, --interface INTERFACE
	      This option specifies the	network	interface that the  tool  will
	      use.  The	 network  interface  must be specified (i.e., the tool
	      does not select any network interface "by	default").

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

	      This option specifies the	link-layer Source Address of the probe
	      packets.	If  left unspecified, the link-layer Source Address of
	      the packets is set to the	real link-layer	address	of the network
	      interface.  Note:	this option is meaningful only when the	under-
	      lying link-layer technology is Ethernet.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

	      This option specifies the	link-layer Destination Address of  the
	      probe packets. By	default, the link-layer	Destination Address is
	      automatically set	to the link-layer address of  the  destination
	      host  (for on-link destinations) or to the link-layer address of
	      the first-hop router. Note: this option is meaningful only  when
	      the underlying link-layer	technology is Ethernet.

       -s SRC_ADDR, --src-address SRC_ADDR

	      This  option  specifies the IPv6 source address (or IPv6 prefix)
	      to be used for the Source	Address	of the attack packets. If  the
	      "-F"  ("--flood-sources")	 option	 is specified, this option in-
	      cludes an	IPv6 prefix, from which	random addresses are selected.
	      See  the	description of the "-F"	option for further information
	      on how the "-s" option is	processed in that specific case.

	      Note: When operating in "listening" mode,	the Source Address  is
	      automatically  set  to  the  Destination Address of the incoming
	      packet.

       -d DST_ADDR, --dst-address DST_ADDR

	      This option specifies the	IPv6 Destination Address of  the  vic-
	      tim.  It	can be left unspecified	only if	the "-L" option	is se-
	      lected (i.e., if the tool	is to operate in "listening" mode).

	      Note: When operating in "listening" mode,	 the  Destination  Ad-
	      dress is automatically set to the	Source Address of the incoming
	      packet.

       -A HOP_LIMIT, --hop-limit HOP_LIMIT

	      This option specifies the	Hop Limit to  be  used	for  the  IPv6
	      packets. It defaults to 255.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

	      This option specifies that a Destination Options header is to be
	      included in the outgoing packet(s). The  extension  header  size
	      must  be	specified as an	argument to this option	(the header is
	      filled with padding options). Multiple Destination Options head-
	      ers may be specified by means of multiple	"-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

	      This  option  specifies  a  Destination Options header to	be in-
	      cluded in	the "unfragmentable part" of the  outgoing  packet(s).
	      The  header size must be specified as an argument	to this	option
	      (the header is filled with padding options).  Multiple  Destina-
	      tion  Options headers may	be specified by	means of multiple "-U"
	      options.

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

	      This option specifies that a Hop-by-Hop Options header is	to  be
	      included	in  the	 outgoing  packet(s).  The header size must be
	      specified	as an argument to this option (the  header  is	filled
	      with  padding  options). Multiple	Hop-by-Hop Options headers may
	      be specified by means of multiple	"-H" options.

       -y FRAG_SIZE, --frag-hdr	FRAG_SIZE

	      This option specifies that the resulting packet  must  be	 frag-
	      mented.  The  fragment  size must	be specified as	an argument to
	      this option.

       -P PAYLOAD_SIZE,	--payload-size PAYLOAD_SIZE

	      This options specifies the size of the TCP payload. It  defaults
	      to 0 (i.e., empty	TCP segments).

       -o SRC_PORT, --src-port SRC_PORT

	      This option specifies the	TCP Source Port.

       -a DST_PORT, --dst-port DST_PORT

	      This option specifies the	TCP/UDP	Destination Port.

       -X TCP_FLAGS, --tcp-flags TCP_FLAGS

	      his  option is used to set specific the TCP flags. The flags are
	      specified	as "F" (FIN), "S" (SYN), "R"  (RST),  "P"  (PSH),  "A"
	      (ACK), "U" (URG),	"X" (no	flags).

	      If  this	option	is not set, and	the tool operates in listening
	      mode, the	flags of the generated TCP segments are	 automatically
	      set  as follows: TCP segments elicited by	SYNs have both the SYN
	      and ACK flags set. All other TCP segments	have the ACK bit set.

       -q SEQ_NUMBER, --tcp-seq	SEQ_NUMBER

	      This option specifies the	Sequence Number	of the TCP header.  If
	      left unspecified,	the Sequence Number is randomized.

	      If  this option is left unspecified and the tool is operating in
	      listening	mode, the TCP Sequence Number is set to	 the  Acknowl-
	      edgement Number of the packet that elicited the TCP segment.

       -Q ACK_NUMBER, --tcp-ack	ACK_NUMBER

	      This  option specifies the Acknowledgment	Number of the TCP seg-
	      ment. If left unspecified, the Acknowledgment Number is  random-
	      ized.

	      If  this option is left unspecified and the tool is operating in
	      listening	mode, the TCP Sequence Number is set to	 the  Acknowl-
	      edgement Number of the packet that elicited the TCP segment.

       -V URG_POINTER, --tcp-urg URG_POINTER

	      This  option specifies the Urgent	Pointer	of the TCP segment. If
	      left unspecified,	the Urgent Pointer is set to 0.

       -w TCP_WINDOW, --tcp-win	TCP_WINDOW

	      This option specifies the	value of the TCP Window. If  left  un-
	      specified, the Window is randomized.

       -W WIN_MODE, --window-mode WIN_MODE

	      This  option specifies how to operate the	TCP window by means of
	      the WIN_MODE parameter. Two modes	are supported:

		 + closed
		 + modulated

	      When the "closed"	mode is	selected, the TCP window will  be  set
	      to  0  (i.e.,  "closed  window").	If the tool estabishes new TCP
	      connections,  the	 initial  window  advertised  during  the  TCP
	      three-way	handshake will be that specified with the '-w' option.
	      However, once the	connection has been established, the TCP  win-
	      dow  will	be set to 0. This allows for the implementation	of the
	      so-called	Netkill	attack,	discussed in Section 7.1.1 of the doc-
	      ument  "Security Assessment of the Transmission Control Protocol
	      (TCP)"	  (available	  at:	   <http://www.gont.com.ar/pa-
	      pers/tn-03-09-security-assessment-TCP.pdf>).

	      When  the	 "modulated" mode is selected, the TCP window will os-
	      cillate between alternate	between	two  different	values.	 These
	      values,  along the amount	of time	that each of them is "active",
	      can be specified by means	of the '-M' ("--win-modulate") option.
	      The  first  of  the  aforementioned values is meant to close the
	      window (hence it will typically be zero),	while  the  second  is
	      meant  to	open the window. The goal of alternating between these
	      two values is to circumvent a trivial mitigation	against	 Zero-
	      Window  attacks  implemented by some stacks where	they enforce a
	      limit on the maximum amount of time that the TCP advertised by a
	      remote  peer  remains fully-closed (i.e.,	set to 0). By changing
	      the advertised window to some other (small) value	every now  and
	      then,  such  a  trivial  "counter-measure" can be	easily circum-
	      vented.

       -M WIN_MOD_MODE,	--win-modulation WIN_MOD_MODE

	      This option specifies the	two values (and	their respective dura-
	      tion)  over  which  the  TCP  window  will  alternate. The value
	      WIN_MOD_MODE hast	the syntax "WIN1:TIME1:WIN2:TIME2", where  the
	      WIN1  and	 WIN2  parameters  specify the window size for each of
	      these periods, while the	TIME1  and  TIME2  parameters  specify
	      their respective time lengths. For example, setting "--win-modu-
	      lation 0:60:10:30" will cause tcp6 to alternate  between	adver-
	      tising a TCP window of 0 bytes for 60 seconds, and advertising a
	      TCP window of 10 bytes for 30 seconds.

	      This option will be typically employed along  with  one  of  the
	      flooding	options	 ("--flood-sources" an/or "--flood-ports") and
	      the "--data" option, such	that multiple TCP connections are  es-
	      tablished,  and the target TCPs keep their retransmission	buffer
	      full. In this scenario, the TCP window "modulation"  option  can
	      be  leveraged  to	 evade trivial counter-measures	implemented by
	      some TCP stacks that try to mitigate Zero-Window attacks by  en-
	      forcing a	limit on the maximum amount of time the	TCP window can
	      be in the	"closed	state".

       -c OPEN_MODE, --open-mode OPEN_MODE

	      This option specifies  the  connection-establishment  mode.  The
	      following	modes are available:

		 + simultaneous
		 + passive
		 + abort

	      When  the	 "simultaneous"	mode is	selected, tcp6 will respond to
	      incoming SYN segments with other SYN segments, thus simulating a
	      "simultaneous  open"  scenario.  When  the "passive" mode	is se-
	      lected, tcp6 will	respond	to incoming SYN	segments with the typ-
	      ical   SYN/ACK   segments,   thus	 leading  to  the  traditional
	      "three-way handshake". Finally, when the	"abort"	 mode  si  se-
	      lected,  tcp6 wil	respond	to incoming SYN	segments with RST seg-
	      ments, thus aborting the incoming	connections.

	      For the most part, this option is	useful for assessing the  cor-
	      rect  behavior of	TCP implementations (e.g., support for "simul-
	      taneous opens").

       -C CLOSE_MODE, --close-mode CLOSE_MODE

	      This option specifies the	the connection-termination  mode.  The
	      following	modes are available:

		 + simultaneous
		 + passive
		 + abort
		 + active
		 + FIN-WAIT-1
		 + FIN-WAIT-2
		 + LAST-ACK

	      When  the	 "simultaneous"	mode is	selected, tcp6 will respond to
	      incoming FIN segments with FIN segments, thus simulating a  "si-
	      multaneous close"	scenario. When the "passive" mode is selected,
	      tcp6 will	respond	to incoming  FIN  segments  with  the  typical
	      FIN/ACK  segments,  thus	leading	to the traditional TCP connec-
	      tion-termination sequence. When the "abort"  mode	 is  selected,
	      tcp6  wil	 respond  to  incoming FIN segments with RST segments,
	      thus aborting the	corresponding connections. When	 the  "active"
	      mode is selected,	tcp6 will start	the connection-termination se-
	      quence by	sending	a FIN segment.

	      The FIN-WAIT-1, FIN-WAIT-2, and LAST-ACK modes  will  result  in
	      connections in the FIN-WAIT-1, FIN-WAIT-2, and LAST-ACK, respec-
	      tively. It should	be noted that in order for the remote TCPs  to
	      transition  to  the  FIN-WAIT-1 or FIN-WAIT-2 states, the	remote
	      TCPs must	perform	the "active  close".  This  can	 be  trivially
	      triggered	 for application protocols such	as HTTP, but might not
	      be feasible for other protocols.

       -Z DATA,	--data DATA

	      This option is used to specify a payload that should be sent  as
	      the  first  data	segment	 once a	TCP connection has been	estab-
	      lished. It will typically	include	an application-layer  request.
	      Note:  the  string  used	for the	DATA parameter can contain the
	      "\r" and "\n" C-style escape senquenced for  representing	 "car-
	      riage return" and	"line feed" (respectively).

	      As an example, this option could be employed to send an HTTP re-
	      quest if set as '--data "GET / HTTP/1.0\r\n\r\n"'.

       -N, --not-ack-data

	      This option instructs tcp6 not to	acknowledge the	TCP payload of
	      incoming segments	(when operating	in listening mode).

	      Note: By default,	tcp6 will acknowledge both the payload and the
	      flags of the incoming TCP	segments.

       -n, --not-ack-flags

	      This option instructs tcp6 not to	acknowledge the	TCP flags (SYN
	      and/or  FIN)  of	incoming segments (when	operating in listening
	      mode).

	      Note: By default,	tcp6 will acknowledge both the payload and the
	      flags of the incoming TCP	segments.

       -j SRC_ADDR, --block-src	SRC_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their IPv6 Source Address. It allows the specification	of  an
	      IPv6  prefix  in	the  form "-j prefix/prefixlen". If the	prefix
	      length is	not specified, a prefix	length of "/128"  is  selected
	      (i.e.,  the  option  assumes  that a single IPv6 address,	rather
	      than an IPv6 prefix, has been specified).

       -k DST_ADDR, --block-dst	DST_ADDR

	      This option sets a block filter for the incoming packets,	 based
	      on  their	 IPv6 Destination Address. It allows the specification
	      of an IPv6 prefix	in the form "-k	prefix/prefixlen". If the pre-
	      fix  length  is  not specified, a	prefix length of "/128"	is se-
	      lected (i.e., the	option assumes that  a	single	IPv6  address,
	      rather than an IPv6 prefix, has been specified).

       -J LINK_ADDR, --block-link-src LINK_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their link-layer Source Address. The option must be  followed
	      by a link-layer address (currently, only Ethernet	is supported).

       -K LINK_ADDR, --block-link-dst LINK_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their link-layer Destination Address. The option must be fol-
	      lowed  by	a link-layer address (currently, only Ethernet is sup-
	      ported).

       -b SRC_ADDR, --accept-src SRC_ADDR

	      This option sets an accept  filter  for  the  incoming  packets,
	      based  on	their IPv6 Source Address. It allows the specification
	      of an IPv6 prefix	in the form "-b	prefix/prefixlen". If the pre-
	      fix  length  is  not specified, a	prefix length of "/128"	is se-
	      lected (i.e., the	option assumes that  a	single	IPv6  address,
	      rather than an IPv6 prefix, has been specified).

       -g DST_ADDR, --accept-dst DST_ADDR

	      This option sets a accept	filter for the incoming	packets, based
	      on their IPv6 Destination	Address. It allows  the	 specification
	      of an IPv6 prefix	in the form "-g	prefix/prefixlen". If the pre-
	      fix length is not	specified, a prefix length of  "/128"  is  se-
	      lected  (i.e.,  the  option  assumes that	a single IPv6 address,
	      rather than an IPv6 prefix, has been specified).

       -B LINK_ADDR, --accept-link-src LINK_ADDR

	      This option sets an accept  filter  for  the  incoming  packets,
	      based  on	 their	link-layer  Source Address. The	option must be
	      followed by a link-layer address (currently,  only  Ethernet  is
	      supported).

       -G LINK_ADDR, --accept-link-dst LINK_ADDR

	      This  option  sets  an  accept  filter for the incoming packets,
	      based on their link-layer	Destination Address. The  option  must
	      be followed by a link-layer address (currently, only Ethernet is
	      supported).

       -F N_SOURCES, --flood-sources N_SOURCES

	      This option instructs the	tool to	 send  multiple	 TCP  segments
	      with  different Source Addresses.	The number of different	source
	      addresses	is specified as	"-F number".  The  Source  Address  of
	      each  TCP	segment	is randomly selected from the prefix specified
	      by the "-s" option. If the "-F" option is	specified but the "-s"
	      option is	left unspecified, the Source Address of	the packets is
	      randomly selected	from the prefix	::/0.

       -T N_PORTS, --flood-ports N_PORTS

	      This option instructs the	tool to	 send  multiple	 TCP  segments
	      with different Source Ports. The Source Port of each TCP segment
	      is randomly selected from	the whole port number space (0-65535).

       -l, --loop

	      This option instructs the	tcp6 tool to send  periodic  TCP  seg-
	      ments  to	 the  victim node. The amount of time to pause between
	      sending TCP segments can be specified by means of	the  "-z"  op-
	      tion,  and defaults to 1 second. Note that this option cannot be
	      set in conjunction with the "-L" ("--listen") option.

       -z, --sleep

	      This option specifies the	amount of time to pause	between	 send-
	      ing  TCP segments	(when the "--loop" option is set). If left un-
	      specified, it defaults to	1 second.

       -r RATE,	--rate-limit RATE

	      This option specifies the	rate limit to use  when	 performing  a
	      remote  address  scan.  "RATE"  should be	specified as "xbps" or
	      "xpps" (with "x" being an	unsigned integer), for rate-limits  in
	      bits per second or packets per second, respectively.

       -L, --listen

	      This  instructs the tcp6 tool to operate in listening mode (pos-
	      sibly after attacking a given node). Note	that this option  can-
	      not be used in conjunction with the "-l" ("--loop") option.

       -p PROBE_MODE, --probe-mode PROBE_MODE

	      This  option  instructs  tcp6 to operate in probe	mode. The spe-
	      cific probe mode is specified as	an  argument  to  this	option
	      (currently,  only	 "script"  mode	 is supported).	In probe mode,
	      tcp6 sends probe segments, and waits for response	 packets.  The
	      response packets are decoded based on the	selected probe mode.

	      In  the  "script"	 probe	mode, the tool decodes TCP segments as
	      follows:

		   RESPONSE:RESPONSE_TYPE:RESPONSE_DECODE...

	      Where the	string RESPONSE	is fixed, and RESPONSE_TYPE  indicates
	      the  response received. As of this version of the	tool, the fol-
	      lowing RESPONSE_TYPE values are supported:

		 + TCP6: Indicates that	the tool received a TCP/IPv6 packet
		 + TIMEOUT: Indicates that the tool received no	response

	      If RESPONSE_TYPE is TCP6,	RESPONSE code contains the  TCP	 flags
	      set in the receive TCP segment. The TCP flags are	encoded	as "F"
	      (FIN), "S" (SYN),	"R" (RST),  "P"	 (PSH),	 "A"  (ACK),  and  "U"
	      (URG).

	      Possibe output lines of the tool are:

		  RESPONSE:TIMEOUT:
		  RESPONSE:TCP6:RA:

	      Note:  Future versions of	the tool will also decode ICMPv6 error
	      messages,	and will include additional data regarding the	incom-
	      ing TCP segments (e.g., ACK value, payload size, etc.).

       -v, --verbose

	      This option instructs the	tcp6 tool to be	verbose.  When the op-
	      tion is set twice, the tool is "very verbose", and the tool also
	      informs  which  packets have been	accepted or discarded as a re-
	      sult of applying the specified filters.

       -h, --help

	      Print help information for the tcp6 tool.

EXAMPLES
       The following sections illustrate typical use cases of the tcp6 tool.

       Example #1

       # tcp6 -s fc00:1::/64 -d	fc00:1::1 -a 22	-X S -F	100 -l -z 1 -v

       In this example the tcp6	tool is	essentially employed to	perform	a SYN-
       flood  attack  against  port  number 22 of the host fc00:1::1. The tool
       uses the	network	interface "eth0" (as specified by  the	"-i"  option),
       and  sends SYN segments (as specified by	the "-X" option) from the pre-
       fix fc00:1::/64 (as specified by	the "-s" option) to port 22 (specified
       by  the "-a" option) at the destination address fc00:1::1 (specified by
       the "-d"	option). The tool sends	TCP segments from  100	different  ad-
       dresses	(as  specified by the "-F" option) every one second (as	speci-
       fied by the "-l"	and "-z" options). The tool will be verbose (as	speci-
       fied by the "-v"	option).

       Example #2

       # tcp6 -i eth0 -L -X RA -v

       In this example,	the tcp6 tool is employed to perform a TCP connection-
       reset attack against all	 active	TCP connections	in the local  network.
       The tool	listens	("-L") on the interface	eth0 ("-i eth0"), and responds
       to any TCP segments with	a RST packet (with both	the RST	and  ACK  bits
       set). The tool will be verbose.

       Example #3

       #  tcp6	-i  eth0  -d  fc00:1::1	-a 80 -L -s fc00:1::/112 -l -r 1pps -v
       --data "GET / HTTP/1.0\r\n\r\n" --close-mode last-ack --flood-ports 10

       Flood the target	system (fc00:1::1) with	connections that stay  in  the
       LAST-ACK	 state	(on  port 80), sending packets at a rate of one	packet
       per second. For each forged address, 10 different  (forged)  ports  are
       used. For each connection, tcp6 will send an HTTP application request.

       Example #4

       #  tcp6	-i  eth0  -d  fc00:1::1	-a 80 -L -s fc00:1::/112 -l -r 1000pps
       --tcp-flags auto	-v --data "GET /  HTTP/1.0\r\n\r\n"  --flood-ports  10
       --window-mode close

       Flood the target	node (fc00:1::1) with TCP connections (on port 80). On
       each connection that is established, an HTTP request is sent,  and  the
       TCP  window  is immediately closed. For each forged IPv6	source address
       ten different TCP source	ports are randomized. The bandwidth of the at-
       tack is limited to 1000 pps.

       Example #5

       #  tcp6 -d fc00:1::1 -a 80 --tcp-flags A	--dst-opt-hdr 8	--payload-size
       50 --probe-mode script

       Send a probe TCP	segment	to TCP port 80 at fc00:1::1. The probe	packet
       consists	 of  an	 IPv6  packet  with  a Destination Options header of 8
       bytes, and an IPv6 payload consisting of	a TCP segment with the ACK bit
       set, and	50 data	bytes. The probe mode is "script".

SEE ALSO
       "Security  Assessment  of  the  Transmission  Control  Protocol	(TCP)"
       (available at: <http://www.gont.com.ar/papers/tn-03-09-security-assess-
       ment-TCP.pdf>) for a discussion of TCP vulnerabilities.

AUTHOR
       The  tcp6 tool and the corresponding manual pages were produced by Fer-
       nando Gont _fgont@si6networks.com_ for SI6 Networks _http://www.si6net-
       works.com_.

COPYRIGHT
       Copyright (c) 2011-2013 Fernando	Gont.

       Permission  is  granted to copy,	distribute and/or modify this document
       under the terms of the GNU Free Documentation License, Version  1.3  or
       any  later  version  published by the Free Software Foundation; with no
       Invariant Sections, no Front-Cover Texts, and no	Back-Cover  Texts.   A
       copy   of   the	 license   is	available  at  _http://www.gnu.org/li-
       censes/fdl.html_.

								       TCP6(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=tcp6&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help