Provided by: fragrouter_1.6-2.2_i386 bug

NAME

       fragrouter - network intrusion detection evasion toolkit

SYNOPSIS

       fragrouter [ -i interface ] [ -p ] [ -g hop ] [ -G hopcount ] ATTACK

DESCRIPTION

       Fragrouter is a program for routing network traffic in such a way as to
       elude most network intrusion detection systems.

       Most attacks implemented correspond  to  those  listed  in  the  Secure
       Networks  ‘‘Insertion,  Evasion, and Denial of Service: Eluding Network
       Intrusion Detection’’ paper of January 1998.

OPTIONS

       -i     Specify the interface to accept packets on.

       -p     Preserve the entire protocol header in the first fragment.  This
              is  useful  in  bypassing  packet  filters  that  deny  short IP
              fragments.

       -g     Specify a hop along a loose source routed path. Can be used more
              than once to build a chain of hop points.

       -G     Positions the "hop counter" within the list of hosts in the path
              of a source routed packet. Should be a multiple of 4. Can be set
              past  the  length  of  the loose source routed path to implement
              Anthony Osborne’s Windows IP source routing attack of  September
              1999.

       The  following  attack  options  are  mutually exclusive - you may only
       specify one type of attack to run at a time.

       -B1    baseline-1: Normal IP forwarding.

       -F1    frag-1: Send data in ordered 8-byte IP fragments.

       -F2    frag-2: Send data in ordered 24-byte IP fragments.

       -F3    frag-3: Send data in  ordered  8-byte  IP  fragments,  with  one
              fragment sent out of order.

       -F4    frag-4:  Send  data  in ordered 8-byte IP fragments, duplicating
              the penultimate fragment in each packet.

       -F5    frag-5:  Send  data  in  out  of  order  8-byte  IP   fragments,
              duplicating the penultimate fragment in each packet.

       -F6    frag-6:  Send  data  in ordered 8-byte IP fragments, sending the
              marked last fragment first.

       -F7    frag-7: Send data in ordered  16-byte  IP  fragments,  preceding
              each  fragment  with  an 8-byte null data fragment that overlaps
              the latter half of it. This amounts to  the  forward-overlapping
              16-byte  fragment  rewriting  the  null  data  back  to the real
              attack.

       -T1    tcp-1: Complete TCP handshake, send fake FIN and RST  (with  bad
              checksums) before sending data in ordered 1-byte segments.

       -T3    tcp-3:  Complete  TCP  handshake,  send  data  in ordered 1-byte
              segments, duplicating the penultimate segment of  each  original
              TCP packet.

       -T4    tcp-4:  Complete  TCP  handshake,  send  data  in ordered 1-byte
              segments, sending an additional 1-byte  segment  which  overlaps
              the  penultimate segment of each original TCP packet with a null
              data payload.

       -T5    tcp-5: Complete TCP  handshake,  send  data  in  ordered  2-byte
              segments, preceding each segment with a 1-byte null data segment
              that overlaps the  latter  half  of  it.  This  amounts  to  the
              forward-overlapping  2-byte segment rewriting the null data back
              to the real attack.

       -T7    tcp-7: Complete TCP  handshake,  send  data  in  ordered  1-byte
              segments  interleaved  with  1-byte  null  segments for the same
              connection but with drastically different sequence numbers.

       -T8    tcp-8: Complete TCP  handshake,  send  data  in  ordered  1-byte
              segments with one segment sent out of order.

       -T9    tcp-9:  Complete TCP handshake, send data in out of order 1-byte
              segments.

       -C2    tcbc-2: Complete TCP handshake,  send  data  in  ordered  1-byte
              segments  interleaved  with  SYN packets for the same connection
              parameters.

       -C3    tcbc-3: Do not complete TCP handshake, but  send  null  data  in
              ordered  1-byte segments as if one had occured. Then, complete a
              TCP handshake with same connection parameters, and send the real
              data in ordered 1-byte segments.

       -R1    tcbt-1: Complete TCP handshake, shut connection down with a RST,
              re-connect with drastically different sequence numbers and  send
              data in ordered 1-byte segments.

       -I2    ins-2:  Complete  TCP  handshake,  send  data  in ordered 1-byte
              segments but with bad TCP checksums.

       -I3    ins-3: Complete TCP  handshake,  send  data  in  ordered  1-byte
              segments but with no ACK flag set.

       -M1    misc-1:  Thomas  Lopatic’s  Windows  NT  4  SP2 IP fragmentation
              attack of July 1997 (see http://www.dataprotect.com/ntfrag/  for
              details). This attack has only been implemented for UDP.

       -M2    misc-2:  John McDonald’s Linux IP chains IP fragmentation attack
              of  July  1998  (see  http://www.dataprotect.com/ipchains/   for
              details). This attack has only been implement for TCP and UDP.

SEE ALSO

       tcpdump(8), tcpreplay(8), pcap(3), libnet(3)

AUTHOR

       Dug Song, Anzen Computing.

       The current version is available via HTTP:

              http://www.anzen.com/research/nidsbench/

BUGS

       IP  options  will carry across all fragments of a packet. Fragrouter is
       not smart enough to determine which IP options are valid  only  in  the
       first fragment. This is considered a feature, not a bug. :-)

       Similarly,  TCP  options  will carry across all segments of a split TCP
       packet - except for null data packets preceding  a  forward  overwrite,
       which lack any TCP options in order to elude TCP PAWS elimination.

       Please send bug reports to nidsbench@anzen.com.

                                 26 April 1999                   FRAGROUTER(8)