-
Notifications
You must be signed in to change notification settings - Fork 1
/
fragroute.8
147 lines (147 loc) · 4.31 KB
/
fragroute.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
.\"
.\" Copyright (c) 2001 Dug Song <[email protected]>
.\"
.\" $Id: fragroute.8.in,v 1.5 2002/04/15 14:18:42 dugsong Exp $
.\"
.TH FRAGROUTE 8
.SH NAME
fragroute \- intercept, modify, and rewrite egress traffic
.SH SYNOPSIS
\fBfragroute\fR [\fB-f \fIfile\fR] \fIhost\fR
.SH DESCRIPTION
.B fragroute
intercepts, modifies, and rewrites egress traffic destined for the
specified
.IR host ,
implementing most of the attacks described in the Secure Networks
``Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
Detection'' paper of January 1998.
.LP
The options are as follows:
.IP "\fB-f \fIfile\fR"
Read ruleset from the specified
.I file
instead of
.IR /usr/local/etc/fragroute.conf .
.LP
Unlike
.BR fragrouter (8),
this program only affects packets originating from the local machine
destined for a remote
.IR host .
Do not enable IP forwarding on the local machine.
.SH RULESET
.B fragroute
is composed of several modules which enable various configuration
directives. Each directive operates on a logical packet queue handed
to it by the previous rule.
.TP
.BI # " string ..."
Ruleset comment, no-op.
.TP
.BR "delay first" | last | random " " \fIms\fR
Delay the delivery of the first, last, or a randomly selected packet
from the queue by
.I ms
milliseconds.
.TP
.BR "drop first" | last | random " " \fIprob-%\fR
Drop the first, last, or a randomly selected packet from the queue
with a probability of
.I prob-%
percent.
.TP
.BR "dup first" | last | random " " \fIprob-%\fR
Duplicate the first, last, or a randomly selected packet from the
queue with a probability of
.I prob-%
percent.
.TP
.BI echo " string ..."
Echo the
.I string
argument(s) to standard output.
.TP
.BR "ip_chaff dup" | opt | \fIttl\fR
Interleave IP packets in the queue with duplicate IP packets
containing different payloads, either scheduled for later delivery,
carrying invalid IP options, or bearing short time-to-live values.
.TP
.BR "ip_frag " \fIsize\fR " " [ old | new ]
Fragment each packet in the queue into
.IR size -byte
IP fragments, preserving the complete transport header in the first
fragment. Optional fragment overlap may be specified as
.BR old " or " new ,
to favor newer or older data.
.TP
.BR "ip_opt lsrr" | "ssrr " "\fIptr ip-addr ...\fR"
Add IP options to every packet, to enable loose or strict source
routing. The route should be specified as list of IP addresses, and a
bytewise pointer into them (e.g. the minimum \fIptr\fR value is 4).
.TP
.BI "ip_ttl " ttl
Set the IP time-to-live value of every packet to
.IR ttl .
.TP
.BI "ip_tos " tos
Set the IP type-of-service bits for every packet to
.IR tos .
.TP
.BR order " " random | reverse
Re-order the packets in the queue randomly, or in reverse.
.TP
.BR print
Print each packet in the queue in tcpdump-style format.
.TP
.BR tcp_chaff " " cksum | null | paws | rexmit | seq | syn | \fIttl\fR
Interleave TCP segments in the queue with duplicate TCP segments
containing different payloads, either bearing invalid TCP checksums,
null TCP control flags, older TCP timestamp options for PAWS
elimination, faked retransmits scheduled for later delivery,
out-of-window sequence numbers, requests to re-synchronize sequence
numbers mid-stream, or short time-to-live values.
.TP
.BR tcp_opt " " mss | wscale "\fI size\fR"
Add TCP options to every TCP packet, to set the maximum segment size
or window scaling factor.
.TP
.BR "tcp_seg " \fIsize\fR " " [ old | new ]
Segment each TCP data segment in the queue into
.IR size -byte
TCP segments. Optional segment overlap may be specified as
.BR old " or " new ,
to favor newer or older data.
.SH EXAMPLES
Fragment all traffic to a Windows host into forward-overlapping 8-byte
fragments (favoring older data), reorder randomly, and print to
standard output:
.LP
.nf
ip_frag 8 old
order random
print
.fi
.LP
Segment all TCP data to a host into forward-overlapping 4-byte
segments (favoring newer data), interleave with overwriting, random
chaff segments bearing older timestamp options for PAWS elimination,
reorder randomly, and print to standard output:
.LP
.nf
tcp_seg 4 new
tcp_chaff paws
order random
print
.fi
.SH FILES
.TP
.I /usr/local/etc/fragroute.conf
Default configuration ruleset
.SH "SEE ALSO"
.BR fragtest (8)
.SH AUTHOR
Dug Song <[email protected]>
.SH BUGS
It is entirely possible to mangle your outgoing traffic so badly that
no remote TCP/IP stack will accept it. K.I.S.S.