Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

FRAGROUTER(8)							 FRAGROUTER(8)

NAME
       fragrouter - network intrusion detection evasion toolkit

SYNOPSIS
       fragrouter [ -i interface ] [ -p ] [ -g hop ] [ -G hopcount ] ATTACK

DESCRIPTION
       Fragrouter is a program for routing network traffic in such a way as to
       elude most network intrusion detection systems.

       Most attacks implemented correspond to those listed in the Secure  Net‐
       works  ``Insertion,  Evasion,  and  Denial  of Service: Eluding Network
       Intrusion Detection'' paper of January 1998.

OPTIONS
       -i     Specify the interface to accept packets on.

       -p     Preserve the entire protocol header in the first fragment.  This
	      is  useful  in bypassing packet filters that deny short IP frag‐
	      ments.

       -g     Specify a hop along a loose source routed path. Can be used more
	      than once to build a chain of hop points.

       -G     Positions the "hop counter" within the list of hosts in the path
	      of a source routed packet. Should be a multiple of 4. Can be set
	      past  the	 length	 of  the loose source routed path to implement
	      Anthony Osborne's Windows IP source routing attack of  September
	      1999.

       The  following  attack  options	are  mutually exclusive - you may only
       specify one type of attack to run at a time.

       -B1    baseline-1: Normal IP forwarding.

       -F1    frag-1: Send data in ordered 8-byte IP fragments.

       -F2    frag-2: Send data in ordered 24-byte IP fragments.

       -F3    frag-3: Send data in ordered 8-byte IP fragments, with one frag‐
	      ment sent out of order.

       -F4    frag-4:  Send  data  in ordered 8-byte IP fragments, duplicating
	      the penultimate fragment in each packet.

       -F5    frag-5: Send data in out of order 8-byte IP fragments, duplicat‐
	      ing the penultimate fragment in each packet.

       -F6    frag-6:  Send  data  in ordered 8-byte IP fragments, sending the
	      marked last fragment first.

       -F7    frag-7: Send data in ordered  16-byte  IP	 fragments,  preceding
	      each  fragment  with  an 8-byte null data fragment that overlaps
	      the latter half of it. This amounts to  the  forward-overlapping
	      16-byte  fragment	 rewriting  the	 null  data  back  to the real
	      attack.

       -T1    tcp-1: Complete TCP handshake, send fake FIN and RST  (with  bad
	      checksums) before sending data in ordered 1-byte segments.

       -T3    tcp-3:  Complete TCP handshake, send data in ordered 1-byte seg‐
	      ments, duplicating the penultimate segment of each original  TCP
	      packet.

       -T4    tcp-4:  Complete TCP handshake, send data in ordered 1-byte seg‐
	      ments, sending an additional 1-byte segment which	 overlaps  the
	      penultimate segment of each original TCP packet with a null data
	      payload.

       -T5    tcp-5: Complete TCP handshake, send data in ordered 2-byte  seg‐
	      ments,  preceding	 each  segment with a 1-byte null data segment
	      that overlaps the latter half of it. This amounts	 to  the  for‐
	      ward-overlapping	2-byte segment rewriting the null data back to
	      the real attack.

       -T7    tcp-7: Complete TCP handshake, send data in ordered 1-byte  seg‐
	      ments interleaved with 1-byte null segments for the same connec‐
	      tion but with drastically different sequence numbers.

       -T8    tcp-8: Complete TCP handshake, send data in ordered 1-byte  seg‐
	      ments with one segment sent out of order.

       -T9    tcp-9:  Complete TCP handshake, send data in out of order 1-byte
	      segments.

       -C2    tcbc-2: Complete TCP handshake, send data in ordered 1-byte seg‐
	      ments  interleaved  with	SYN  packets  for  the same connection
	      parameters.

       -C3    tcbc-3: Do not complete TCP handshake, but  send	null  data  in
	      ordered  1-byte segments as if one had occured. Then, complete a
	      TCP handshake with same connection parameters, and send the real
	      data in ordered 1-byte segments.

       -R1    tcbt-1: Complete TCP handshake, shut connection down with a RST,
	      re-connect with drastically different sequence numbers and  send
	      data in ordered 1-byte segments.

       -I2    ins-2:  Complete TCP handshake, send data in ordered 1-byte seg‐
	      ments but with bad TCP checksums.

       -I3    ins-3: Complete TCP handshake, send data in ordered 1-byte  seg‐
	      ments but with no ACK flag set.

       -M1    misc-1:  Thomas  Lopatic's  Windows  NT  4  SP2 IP fragmentation
	      attack of July 1997 (see http://www.dataprotect.com/ntfrag/  for
	      details). This attack has only been implemented for UDP.

       -M2    misc-2:  John McDonald's Linux IP chains IP fragmentation attack
	      of  July	1998  (see  http://www.dataprotect.com/ipchains/   for
	      details). This attack has only been implement for TCP and UDP.

SEE ALSO
       tcpdump(8), tcpreplay(8), pcap(3), libnet(3)

AUTHOR
       Dug Song, Anzen Computing.

       The current version is available via HTTP:

	      http://www.anzen.com/research/nidsbench/

BUGS
       IP  options  will carry across all fragments of a packet. Fragrouter is
       not smart enough to determine which IP options are valid	 only  in  the
       first fragment. This is considered a feature, not a bug. :-)

       Similarly,  TCP	options	 will carry across all segments of a split TCP
       packet - except for null data packets preceding	a  forward  overwrite,
       which lack any TCP options in order to elude TCP PAWS elimination.

       Please send bug reports to nidsbench@anzen.com.

				 26 April 1999			 FRAGROUTER(8)

Vote for polarhome