Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
UDP6(1)			    General Commands Manual		       UDP6(1)

NAME
       udp6 - A	security assessment tool for UDP/IPv6 implementations

SYNOPSIS
       udp6   -i   INTERFACE   [-S   LINK_SRC_ADDR]   [-D  LINK-DST-ADDR]  [-s
       SRC_ADDR[/LEN]]	[-d  DST_ADDR]	[-A  HOP_LIMIT]	 [-y  FRAG_SIZE]   [-u
       DST_OPT_HDR_SIZE]  [-U  DST_OPT_U_HDR_SIZE]  [-H	 HBH_OPT_HDR_SIZE] [-P
       PAYLOAD_SIZE] [-o SRC_PORT] [-a DST_PORT] [-Z DATA]  [-j	 PREFIX[/LEN]]
       [-k  PREFIX[/LEN]]  [-J LINK_ADDR] [-K LINK_ADDR] [-b PREFIX[/LEN]] [-g
       PREFIX[/LEN]] [-B LINK_ADDR] [-G	LINK_ADDR] [-F N_SOURCES] [-T N_PORTS]
       [-L] [-l] [-p PROBE_MODE] [-z SECONDS] [-r RATE]	[-v] [-h]

DESCRIPTION
       udp6  allows  the  assessment of	IPv6 implementations with respect to a
       variety of attack vectors based on UDP/IPv6  datagrams.	This  tool  is
       part of the SI6 Networks' IPv6 Toolkit: a security assessment and trou-
       bleshooting toolkit for the IPv6	protocols.

       udp6 tool has two modes of operation: active and	listening.  In	active
       mode,  the  tool	attacks	a specific target, while in listening mode the
       tool listens to UDP traffic on the local	network, and launches  an  at-
       tack  in	 response  to such traffic. Active mode	is employed if an IPv6
       Destination Address is specified. Listening mode	 is  employed  if  the
       "-L" option (or its long	counterpart "--listen")	is set.	If both	an at-
       tack target and the "-L"	option are specified, the attack  is  launched
       against	the  specified target, and then	the tool enters	listening mode
       to respond incoming packets with	UDP datagrams.

       udp6 supports filtering of  incoming  packets  based  on	 the  Ethernet
       Source  Address,	 the Ethernet Destination Address, the IPv6 Source Ad-
       dress, and the IPv6 Destination Address.	 There are two types  of  fil-
       ters:  "block  filters"	and "accept filters". If any "block filter" is
       specified, and the incoming packet matches any of  those	 filters,  the
       message	is discarded (and thus no UDP datagrams	are sent in response).
       If any "accept filter" is specified, incoming packets  must  match  the
       specified filters in order for the tool to respond with UDP datagrams.

OPTIONS
       udp6  takes itS parameters as command-line options. Each	of the options
       can be specified	with a short name (one character preceded with the hy-
       phen  character,	 as  e.g. "-i")	or with	a long name (a string preceded
       with two	hyphen characters, as e.g. "--interface").

       If the tool is instructed to e.g. flood the victim with	UDP  datagrams
       from different sources ("--flood-sources" option), multiple packets may
       need to be generated.

       udp6 supports IPv6 Extension Headers, including the IPv6	 Fragmentation
       Header,	which  might  be of use	to circumvent layer-2 filtering	and/or
       Network Intrusion Detection Systems  (NIDS).  However,  IPv6  extension
       headers	are  not  employed  by default,	and must be explicitly enabled
       with the	corresponding options.

       -i INTERFACE, --interface INTERFACE
	      This option specifies the	network	interface that the  tool  will
	      use.  The	 network  interface  must be specified (i.e., the tool
	      does not select any network interface "by	default").

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

	      This option specifies the	link-layer Source Address of the probe
	      packets.	If  left unspecified, the link-layer Source Address of
	      the packets is set to the	real link-layer	address	of the network
	      interface.  Note:	this option is meaningful only when the	under-
	      lying link-layer technology is Ethernet.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

	      This option specifies the	link-layer Destination Address of  the
	      probe packets. By	default, the link-layer	Destination Address is
	      automatically set	to the link-layer address of  the  destination
	      host  (for on-link destinations) or to the link-layer address of
	      the first-hop router. Note: this option is meaningful only  when
	      the underlying link-layer	technology is Ethernet.

       -s SRC_ADDR, --src-address SRC_ADDR

	      This  option  specifies the IPv6 source address (or IPv6 prefix)
	      to be used for the Source	Address	of the attack packets. If  the
	      "-F"  ("--flood-sources")	 option	 is specified, this option in-
	      cludes an	IPv6 prefix, from which	random addresses are selected.
	      See  the	description of the "-F"	option for further information
	      on how the "-s" option is	processed in that specific case.

	      Note: When operating in "listening" mode,	the Source Address  is
	      automatically  set  to  the  Destination Address of the incoming
	      packet.

       -d DST_ADDR, --dst-address DST_ADDR

	      This option specifies the	IPv6 Destination Address of  the  vic-
	      tim.  It	can be left unspecified	only if	the "-L" option	is se-
	      lected (i.e., if the tool	is to operate in "listening" mode).

	      Note: When operating in "listening" mode,	 the  Destination  Ad-
	      dress is automatically set to the	Source Address of the incoming
	      packet.

       -A HOP_LIMIT, --hop-limit HOP_LIMIT

	      This option specifies the	Hop Limit to  be  used	for  the  IPv6
	      packets. It defaults to 255.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

	      This option specifies that a Destination Options header is to be
	      included in the outgoing packet(s). The  extension  header  size
	      must  be	specified as an	argument to this option	(the header is
	      filled with padding options). Multiple Destination Options head-
	      ers may be specified by means of multiple	"-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

	      This  option  specifies  a  Destination Options header to	be in-
	      cluded in	the "unfragmentable part" of the  outgoing  packet(s).
	      The  header size must be specified as an argument	to this	option
	      (the header is filled with padding options).  Multiple  Destina-
	      tion  Options headers may	be specified by	means of multiple "-U"
	      options.

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

	      This option specifies that a Hop-by-Hop Options header is	to  be
	      included	in  the	 outgoing  packet(s).  The header size must be
	      specified	as an argument to this option (the  header  is	filled
	      with  padding  options). Multiple	Hop-by-Hop Options headers may
	      be specified by means of multiple	"-H" options.

       -y FRAG_SIZE, --frag-hdr	FRAG_SIZE

	      This option specifies that the resulting packet  must  be	 frag-
	      mented.  The  fragment  size must	be specified as	an argument to
	      this option.

       -P PAYLOAD_SIZE,	--payload-size PAYLOAD_SIZE

	      This options specifies the size of the UDP payload. It  defaults
	      to 0 (i.e., empty	UDP datagrams).

       -o SRC_PORT, --src-port SRC_PORT

	      This option specifies the	UDP Source Port.

       -a DST_PORT, --dst-port DST_PORT

	      This option specifies the	UDP Destination	Port.

       -Z DATA,	--data DATA

	      This  option  is	used to	specify	the UDP	payload. It will typi-
	      cally include an application-layer  request.  Note:  the	string
	      used  for	 the  DATA  parameter  can  contain  the "\r" and "\n"
	      C-style escape senquenced	for representing "carriage return" and
	      "line feed" (respectively).

	      As an example, this option could be employed to send an HTTP re-
	      quest if set as '--data "GET / HTTP/1.0\r\n\r\n"'.

       -j SRC_ADDR, --block-src	SRC_ADDR

	      This option sets a block filter for the incoming packets,	 based
	      on  their	IPv6 Source Address. It	allows the specification of an
	      IPv6 prefix in the form "-j  prefix/prefixlen".  If  the	prefix
	      length  is  not specified, a prefix length of "/128" is selected
	      (i.e., the option	assumes	that a	single	IPv6  address,	rather
	      than an IPv6 prefix, has been specified).

       -k DST_ADDR, --block-dst	DST_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their IPv6 Destination	Address. It allows  the	 specification
	      of an IPv6 prefix	in the form "-k	prefix/prefixlen". If the pre-
	      fix length is not	specified, a prefix length of  "/128"  is  se-
	      lected  (i.e.,  the  option  assumes that	a single IPv6 address,
	      rather than an IPv6 prefix, has been specified).

       -J LINK_ADDR, --block-link-src LINK_ADDR

	      This option sets a block filter for the incoming packets,	 based
	      on  their	link-layer Source Address. The option must be followed
	      by a link-layer address (currently, only Ethernet	is supported).

       -K LINK_ADDR, --block-link-dst LINK_ADDR

	      This option sets a block filter for the incoming packets,	 based
	      on their link-layer Destination Address. The option must be fol-
	      lowed by a link-layer address (currently,	only Ethernet is  sup-
	      ported).

       -b SRC_ADDR, --accept-src SRC_ADDR

	      This  option  sets  an  accept  filter for the incoming packets,
	      based on their IPv6 Source Address. It allows the	 specification
	      of an IPv6 prefix	in the form "-b	prefix/prefixlen". If the pre-
	      fix length is not	specified, a prefix length of  "/128"  is  se-
	      lected  (i.e.,  the  option  assumes that	a single IPv6 address,
	      rather than an IPv6 prefix, has been specified).

       -g DST_ADDR, --accept-dst DST_ADDR

	      This option sets a accept	filter for the incoming	packets, based
	      on  their	 IPv6 Destination Address. It allows the specification
	      of an IPv6 prefix	in the form "-g	prefix/prefixlen". If the pre-
	      fix  length  is  not specified, a	prefix length of "/128"	is se-
	      lected (i.e., the	option assumes that  a	single	IPv6  address,
	      rather than an IPv6 prefix, has been specified).

       -B LINK_ADDR, --accept-link-src LINK_ADDR

	      This  option  sets  an  accept  filter for the incoming packets,
	      based on their link-layer	Source Address.	 The  option  must  be
	      followed	by  a  link-layer address (currently, only Ethernet is
	      supported).

       -G LINK_ADDR, --accept-link-dst LINK_ADDR

	      This option sets an accept  filter  for  the  incoming  packets,
	      based  on	 their link-layer Destination Address. The option must
	      be followed by a link-layer address (currently, only Ethernet is
	      supported).

       -F N_SOURCES, --flood-sources N_SOURCES

	      This  option  instructs  the tool	to send	multiple UDP datagrams
	      with different Source Addresses. The number of different	source
	      addresses	 is  specified	as  "-F	number". The Source Address of
	      each UDP datagram	is randomly selected from the prefix specified
	      by the "-s" option. If the "-F" option is	specified but the "-s"
	      option is	left unspecified, the Source Address of	the packets is
	      randomly selected	from the prefix	::/0.

       -T N_PORTS, --flood-ports N_PORTS

	      This  option  instructs  the tool	to send	multiple UDP datagrams
	      with different Source Ports. The Source Port of each  UDP	 data-
	      gram  is	randomly  selected  from  the  whole port number space
	      (0-65535).

       -l, --loop

	      This option instructs the	udp6 tool to send periodic  UDP	 data-
	      grams  to	 the  victim node. The amount of time to pause between
	      sending UDP datagrams can	be specified by	means of the "-z"  op-
	      tion,  and defaults to 1 second. Note that this option cannot be
	      set in conjunction with the "-L" ("--listen") option.

       -z, --sleep

	      This option specifies the	amount of time to pause	between	 send-
	      ing UDP datagrams	(when the "--loop" option is set). If left un-
	      specified, it defaults to	1 second.

       -r RATE,	--rate-limit RATE

	      This option specifies the	rate limit to use  when	 performing  a
	      remote  address  scan.  "RATE"  should be	specified as "xbps" or
	      "xpps" (with "x" being an	unsigned integer), for rate-limits  in
	      bits per second or packets per second, respectively.

       -L, --listen

	      This  instructs the udp6 tool to operate in listening mode (pos-
	      sibly after attacking a given node). Note	that this option  can-
	      not be used in conjunction with the "-l" ("--loop") option.

       -p PROBE_MODE, --probe-mode PROBE_MODE

	      This  option instructs th	too to operate in probe	mode. The spe-
	      cific probe mode is specified as	an  argument  to  this	option
	      (currently, only "script"	mode is	supported). In probe mode, the
	      udp6 sends probe datagrams, and waits for	response packets.  The
	      response packets are decoded based on the	selected probe mode.

	      In  the  "script"	 probe mode, the tool decodes UDP datagrams as
	      follows:

		   RESPONSE:RESPONSE_TYPE:RESPONSE_DECODE...

	      Where the	string RESPONSE	is fixed, and RESPONSE_TYPE  indicates
	      the  response received. As of this version of the	tool, the fol-
	      lowing RESPONSE_TYPE values are supported:

		 + UDP6: Indicates that	the tool received a UDP/IPv6 packet
		 + TIMEOUT: Indicates that the tool received no	response

	      Possibe output lines of the tool are:

		  RESPONSE:TIMEOUT:
		  RESPONSE:UDP6:

	      Note: Future versions of the tool	will also decode ICMPv6	 error
	      messages,	 and will include additional data regarding the	incom-
	      ing UDP datagrams	(e.g., payload size).

       -v, --verbose

	      This option instructs the	udp6 tool to be	verbose.  When the op-
	      tion is set twice, the tool is "very verbose", and the tool also
	      informs which packets have been accepted or discarded as	a  re-
	      sult of applying the specified filters.

       -h, --help

	      Print help information for the udp6 tool.

EXAMPLES
       The following sections illustrate typical use cases of the udp6 tool.

       Example #1

       # udp6 -s fc00:1::/64 -d	fc00:1::1 -a 22	-F 100 -l -z 1 -v

       In  this	 example  the  udp6 tool is essentially	employed to flood port
       number 22 of the	host fc00:1::1.	The tool sends UDP datagrams from  the
       prefix fc00:1::/64 (as specified	by the "-s" option) to port 22 (speci-
       fied by the "-a"	option)	at the destination address  fc00:1::1  (speci-
       fied by the "-d"	option). The tool sends	UDP datagrams from 100 differ-
       ent addresses (as specified by the "-F" option) every  one  second  (as
       specified  by  the "-l" and "-z"	options). The tool will	be verbose (as
       specified by the	"-v" option).

       Example #3

       # udp6 -d fc00:1::1 -a 80 -l -r 1pps -v --data "GET / HTTP/1.0\r\n\r\n"

       Flood the target	system (fc00:1::1) with	UDP datagrams at a rate	of one
       packet  per second. Each	UDP datagram will contain (in the payload) the
       string specified	via the	"--data" option.

       Example #4

       # udp6 -i eth0 -d fc00:1::1 -a 80 -L  -s	 fc00:1::/112  -l  -r  1000pps
       --udp-flags  auto  -v  --data "GET / HTTP/1.0\r\n\r\n" --flood-ports 10
       --window-mode close

       Flood the target	node (fc00:1::1) with UDP connections (on port 80). On
       each  connection	 that is established, an HTTP request is sent, and the
       UDP window is immediately closed. For each forged IPv6  source  address
       ten different UDP source	ports are randomized. The bandwidth of the at-
       tack is limited to 1000 pps.

       Example #5

       # udp6 -d fc00:1::1 -a 80 --udp-flags A --dst-opt-hdr 8	--payload-size
       50 --probe-mode script

       Send a probe UDP	datagram to UDP	port 80	at fc00:1::1. The probe	packet
       consists	of an IPv6 packet with	a  Destination	Options	 header	 of  8
       bytes,  and  an	IPv6 payload consisting	of a UDP datagram with the ACK
       bit set,	and 50 data bytes. The probe mode is "script".

AUTHOR
       The udp6	tool and the corresponding manual pages	were produced by  Fer-
       nando Gont _fgont@si6networks.com_ for SI6 Networks _http://www.si6net-
       works.com_.

COPYRIGHT
       Copyright (c) 2011-2013 Fernando	Gont.

       Permission is granted to	copy, distribute and/or	modify	this  document
       under  the  terms of the	GNU Free Documentation License,	Version	1.3 or
       any later version published by the Free Software	 Foundation;  with  no
       Invariant  Sections,  no	Front-Cover Texts, and no Back-Cover Texts.  A
       copy  of	 the   license	 is   available	  at   _http://www.gnu.org/li-
       censes/fdl.html_.

								       UDP6(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=udp6&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help