Security Basics mailing list archives
Problems with Fragroute-1.2
From: "Arun Vishwanathan" <arun.vishwanathan () nevisnetworks com>
Date: Mon, 4 Apr 2005 22:57:20 +0530
Hi Dug and list , I have run into a problem using fragroute-1.2. I will start by describing my topology first. I have two machines frag and victim with two interfaces (eth0 and eth1) and running RedHat9 with 2.4.20-8 Linux Kernel. My intention is to use fragroute to obfuscate the traffic that is outbound to a destination. +------+ +------+ | | e0 (10.0.0.1) 10.0.0.2) | | | --------------------------------- | |Frag | e1 (20.0.0.1) 20.0.0.2 |Victim| | --------------------------------- | | | | | +------+ +------+ The victim machine is connected directly to the Fragger machine. The test is to start fragroute with 10.0.0.2 / 20.0.0.2 as the destination and then start a Ping/FTP from the fragger machine to the Victim machine to fragment the traffic. The frag.conf file contains the following ip_frag 8 print My observations are as follows 1. fragrotue -f frag.conf 10.0.0.2 a. ping 10.0.0.2 All ping packets to 10.0.0.2 get fragmented. b. ftp 10.0.0.2 TCP packets are also fragmented properly 2. fragroute -f frag.conf 20.0.0.2 a. ping 20.0.0.2 All ping packets to 20.0.0.2 get fragmented. b. ftp 20.0.0.2 Now this is where the whole thing fails. The FTP connection never gets established and the ftp client hangs. A closer look at the packets exchanged reveal that the FTP Client on 20.0.0.1 is sending RST packets to the victim. The transaction happens as follows (i) FTP client on machine frag Sends SYN to ftpd on victim (ii) Victim sends a SYN-ACK back (iii) FTP Client sends a RST !!!!!!! This is what I don't understand as to why the FTP client sends a RST back. Please note that the ftp session without the fragroute completes smoothly. Because of this RST the ftp client is left in a hung state. :( Summary of my observations: --------------------------- 1. Fragroute works smoothly for both ICMP and TCP when the outbound interface is eth0. 2. When the destination is 20.0.0.2 i.e. network connected to eth1 then only ICMP packets are fragmented while the TCP session does not go through. 3. Strangely the TCP client stack sends a RST on receipt of a SYN-ACK from the server. Can anyone please tell me what is happening here? Am I doing something wrong? How should I rectify this? I don't understand why the client stack which initiated the connection is sending the RST !!! ?? Eagerly waiting for a reply. Regards, Arun --------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- Problems with Fragroute-1.2 Arun Vishwanathan (Apr 04)
- Re: Problems with Fragroute-1.2 Dug Song (Apr 04)