Table of Contents

Name

fragrouter - network intrusion detection evasion toolkit

Synopsis

fragrouter [ -i interface ] [ -p ] [ ATTACK ] host

Description

Fragrouter is a program for routing network traffic in such a way as to elude most network intrusion detection systems.

The attacks implemented correspond to those listed in the Secure Networks ``Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection'' paper of January, 1998.

Options

-i
Specify the interface to accept packets on.
-p
Preserve the entire protocol header in the first fragment. This is enabled by default on Linux, which doesn't allow sending of short fragments.

The following attack options are mutually exclusive - you may only specify one type of attack to run at a time.

-B1
baseline-1 : Normal IP forwarding.
-F1
frag-1 : Send data in ordered 8-byte IP fragments.
-F2
frag-2 : Send data in ordered 24-byte IP fragments.
-F3
frag-3 : Send data in ordered 8-byte IP fragments, with one fragment sent out of order.
-F4
frag-4 : Send data in ordered 8-byte IP fragments, duplicating the penultimate fragment in each packet.
-F5
frag-5 : Send data in out of order 8-byte IP fragments, duplicating the penultimate fragment in each packet.
-F6
frag-6 : Send data in ordered 8-byte IP fragments, sending the marked last fragment first.
-F7
frag-7 : Send data in ordered 16-byte IP fragments, preceding each fragment with an 8-byte null data fragment that overlaps the latter half of it. This amounts to the forward-overlapping 16-byte fragment rewriting the null data back to the real attack.

See Also

tcpdump(8) , tcpreplay(8) , pcap(3) , libnet(3)

Author

Dug Song, Anzen Computing.

The current version is available via HTTP:

http://www.anzen.com/research/nidsbench/

Bugs

Please send bug reports to nidsbench@anzen.com.


Table of Contents