Problems with Fragroute-1.2

From: Arun Vishwanathan (arun.vishwanathan_at_nevisnetworks.com)
Date: 04/04/05

  • Next message: Dug Song: "Re: Problems with Fragroute-1.2" 
    Date: Mon, 4 Apr 2005 22:57:20 +0530
To: <dugsong@monkey.org>, <security-basics@securityfocus.com>

    Hi Dug and list ,

    I have run into a problem using fragroute-1.2.

    I will start by describing my topology first. I have two machines frag
    and victim with two interfaces (eth0 and eth1) and running RedHat9 with
    2.4.20-8 Linux Kernel. My intention is to use fragroute to obfuscate the
    traffic that is outbound to a destination.

    +------+ +------+
    | | e0 (10.0.0.1) 10.0.0.2) | |
    | --------------------------------- |
    |Frag | e1 (20.0.0.1) 20.0.0.2 |Victim|
    | --------------------------------- |
    | | | |
    +------+ +------+

    The victim machine is connected directly to the Fragger machine. The
    test is to start fragroute with 10.0.0.2 / 20.0.0.2 as the destination
    and then start a Ping/FTP from the fragger machine to the Victim machine
    to fragment the traffic.

    The frag.conf file contains the following
    ip_frag 8
    print

    My observations are as follows

    1. fragrotue -f frag.conf 10.0.0.2
       a. ping 10.0.0.2
            All ping packets to 10.0.0.2 get fragmented.
       b. ftp 10.0.0.2
            TCP packets are also fragmented properly

    2. fragroute -f frag.conf 20.0.0.2
       a. ping 20.0.0.2
            All ping packets to 20.0.0.2 get fragmented.
       b. ftp 20.0.0.2
            Now this is where the whole thing fails. The FTP connection
    never gets established and the ftp client hangs. A closer look at the
    packets exchanged reveal that the FTP Client on 20.0.0.1 is sending RST
    packets to the victim. The transaction happens as follows

            (i) FTP client on machine frag Sends SYN to ftpd on victim
            (ii) Victim sends a SYN-ACK back
            (iii) FTP Client sends a RST !!!!!!!

    This is what I don't understand as to why the FTP client sends a RST
    back.

    Please note that the ftp session without the fragroute completes
    smoothly.

    Because of this RST the ftp client is left in a hung state. :(

    Summary of my observations:
    ---------------------------
    1. Fragroute works smoothly for both ICMP and TCP when the outbound
    interface is eth0.
    2. When the destination is 20.0.0.2 i.e. network connected to eth1 then
    only ICMP packets are fragmented while the TCP session does not go
    through.
    3. Strangely the TCP client stack sends a RST on receipt of a SYN-ACK
    from the server.

    Can anyone please tell me what is happening here? Am I doing something
    wrong? How should I rectify this? I don't understand why the client
    stack which initiated the connection is sending the RST !!! ??

    Eagerly waiting for a reply.

    Regards,
    Arun

            

    ---------------------------------------------------------------------------
    Earn your MS in Information Security ONLINE
    Organizations worldwide are in need of highly qualified information security
    professionals. Norwich University is fulfilling this demand with its MS in
    Information Security offered online. Recognized by the NSA as an
    academically excellent program, NU offers you the opportunity to earn your
    degree without disrupting your home or work life.

    http://www.msia.norwich.edu/secfocus_en
    ----------------------------------------------------------------------------

  • Next message: Dug Song: "Re: Problems with Fragroute-1.2"
    • Quantcast