Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Problems with Fragroute-1.2

From: "Arun Vishwanathan" <arun.vishwanathan () nevisnetworks com>
Date: Mon, 4 Apr 2005 22:57:20 +0530

Hi Dug and list ,

I have run into a problem using fragroute-1.2. 

I will start by describing my topology first. I have two machines frag
and victim with two interfaces (eth0 and eth1) and running RedHat9 with
2.4.20-8 Linux Kernel. My intention is to use fragroute to obfuscate the
traffic that is outbound to a destination. 


+------+                               +------+
|      |  e0 (10.0.0.1)      10.0.0.2) |            |
|      ---------------------------------      | 
|Frag  |  e1 (20.0.0.1)      20.0.0.2  |Victim|
|      ---------------------------------      |
|      |                               |      |
+------+                               +------+


The victim machine is connected directly to the Fragger machine. The
test is to start fragroute with 10.0.0.2 / 20.0.0.2 as the destination
and then start a Ping/FTP from the fragger machine to the Victim machine
to fragment the traffic. 

The frag.conf file contains the following
ip_frag 8
print

My observations are as follows

1. fragrotue -f frag.conf 10.0.0.2 
   a. ping 10.0.0.2 
        All ping packets to 10.0.0.2 get fragmented.
   b. ftp 10.0.0.2
        TCP packets are also fragmented properly

2.  fragroute -f frag.conf 20.0.0.2
   a. ping 20.0.0.2 
        All ping packets to 20.0.0.2 get fragmented.
   b. ftp 20.0.0.2
        Now this is where the whole thing fails. The FTP connection
never gets established and the ftp client hangs. A closer look at the
packets exchanged reveal that the FTP Client on 20.0.0.1 is sending  RST
packets to the victim. The transaction happens as follows

        (i) FTP client on machine frag Sends SYN to ftpd on victim
        (ii) Victim sends a SYN-ACK back
        (iii) FTP Client sends a RST !!!!!!!

This is what I don't understand as to why the FTP client sends a RST
back. 

Please note that the ftp session without the fragroute completes
smoothly. 

Because of this RST the ftp client is left in a hung state. :(

Summary of my observations:
---------------------------
1. Fragroute works smoothly for both ICMP and TCP when the outbound
interface is eth0.
2. When the destination is 20.0.0.2 i.e. network connected to eth1 then
only ICMP packets are fragmented while the TCP session does not go
through. 
3. Strangely the TCP client stack sends a RST on receipt of a SYN-ACK
from the server. 


Can anyone please tell me what is happening here? Am I doing something
wrong? How should I rectify this?  I don't understand why the client
stack which initiated the connection is sending the RST !!! ??

Eagerly waiting for a reply. 

Regards,
Arun


        


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: