
FRAGROUTER(8)					    FRAGROUTER(8)

NAME
       fragrouter - network intrusion detection evasion toolkit

SYNOPSIS
       fragrouter [ -i interface ] [ -p ] [ -g hop ] [ -G hop-
       count ] ATTACK

DESCRIPTION
       Fragrouter is a program for  routing  network  traffic  in
       such  a	way  as to elude most network intrusion detection
       systems.

       Most attacks implemented correspond to those listed in the
       Secure  Networks	 ``Insertion, Evasion, and Denial of Ser-
       vice: Eluding Network Intrusion Detection'' paper of  Jan-
       uary 1998.

OPTIONS
       -i     Specify the interface to accept packets on.

       -p     Preserve	the  entire  protocol header in the first
	      fragment. This is useful in bypassing  packet  fil-
	      ters that deny short IP fragments.

       -g     Specify a hop along a loose source routed path. Can
	      be used more than once to	 build	a  chain  of  hop
	      points.

       -G     Positions	 the  "hop  counter"  within  the list of
	      hosts in the path of a source routed packet. Should
	      be  a  multiple of 4. Can be set past the length of
	      the loose source routed path to  implement  Anthony
	      Osborne's	 Windows  IP  source  routing  attack  of
	      September 1999.

       The following attack options are mutually exclusive -  you
       may only specify one type of attack to run at a time.

       -B1    baseline-1: Normal IP forwarding.

       -F1    frag-1: Send data in ordered 8-byte IP fragments.

       -F2    frag-2:  Send data in ordered 24-byte IP fragments.

       -F3    frag-3: Send data in ordered 8-byte  IP  fragments,
	      with one fragment sent out of order.

       -F4    frag-4:  Send  data in ordered 8-byte IP fragments,
	      duplicating  the	penultimate  fragment	in   each
	      packet.

       -F5    frag-5:  Send  data in out of order 8-byte IP frag-
	      ments, duplicating the penultimate fragment in each
	      packet.

       -F6    frag-6:  Send  data in ordered 8-byte IP fragments,
	      sending the marked last fragment first.

       -F7    frag-7: Send data in ordered 16-byte IP  fragments,
	      preceding	 each  fragment	 with an 8-byte null data
	      fragment that overlaps the latter half of it.  This
	      amounts to the forward-overlapping 16-byte fragment
	      rewriting the null data back to the real attack.

       -T1    tcp-1: Complete TCP handshake, send  fake	 FIN  and
	      RST  (with  bad  checksums)  before sending data in
	      ordered 1-byte segments.

       -T3    tcp-3: Complete TCP handshake, send data in ordered
	      1-byte  segments,	 duplicating the penultimate seg-
	      ment of each original TCP packet.

       -T4    tcp-4: Complete TCP handshake, send data in ordered
	      1-byte  segments, sending an additional 1-byte seg-
	      ment which overlaps the penultimate segment of each
	      original TCP packet with a null data payload.

       -T5    tcp-5: Complete TCP handshake, send data in ordered
	      2-byte segments,	preceding  each	 segment  with	a
	      1-byte  null  data segment that overlaps the latter
	      half of it. This amounts to the forward-overlapping
	      2-byte  segment rewriting the null data back to the
	      real attack.

       -T7    tcp-7: Complete TCP handshake, send data in ordered
	      1-byte  segments	interleaved with 1-byte null seg-
	      ments for the same connection but with  drastically
	      different sequence numbers.

       -T8    tcp-8: Complete TCP handshake, send data in ordered
	      1-byte segments with one segment sent out of order.

       -T9    tcp-9:  Complete TCP handshake, send data in out of
	      order 1-byte segments.

       -C2    tcbc-2:  Complete	 TCP  handshake,  send	data   in
	      ordered  1-byte segments interleaved with SYN pack-
	      ets for the same connection parameters.

       -C3    tcbc-3: Do not complete  TCP  handshake,	but  send
	      null  data in ordered 1-byte segments as if one had
	      occured. Then, complete a TCP handshake  with  same
	      connection  parameters,  and  send the real data in
	      ordered 1-byte segments.

       -R1    tcbt-1: Complete	TCP  handshake,	 shut  connection
	      down  with  a RST, re-connect with drastically dif-
	      ferent sequence numbers and send	data  in  ordered
	      1-byte segments.

       -I2    ins-2: Complete TCP handshake, send data in ordered
	      1-byte segments but with bad TCP checksums.

       -I3    ins-3: Complete TCP handshake, send data in ordered
	      1-byte segments but with no ACK flag set.

       -M1    misc-1:  Thomas Lopatic's Windows NT 4 SP2 IP frag-
	      mentation attack of July 1997 (see  http://www.dat-
	      aprotect.com/ntfrag/  for details). This attack has
	      only been implemented for UDP.

       -M2    misc-2: John McDonald's Linux IP chains IP fragmen-
	      tation attack of July 1998 (see http://www.datapro-
	      tect.com/ipchains/ for details).	This  attack  has
	      only been implement for TCP and UDP.

SEE ALSO
       tcpdump(8), tcpreplay(8), pcap(3), libnet(3)

AUTHOR
       Dug Song, Anzen Computing.

       The current version is available via HTTP:

	      http://www.anzen.com/research/nidsbench/

BUGS
       IP  options  will  carry across all fragments of a packet.
       Fragrouter is not  smart	 enough	 to  determine	which  IP
       options are valid only in the first fragment. This is con-
       sidered a feature, not a bug. :-)

       Similarly, TCP options will carry across all segments of a
       split  TCP packet - except for null data packets preceding
       a forward overwrite, which lack any TCP options	in  order
       to elude TCP PAWS elimination.

       Please send bug reports to nidsbench@anzen.com.



			  26 April 1999				3
