Intrusion Detection FAQ: How does Fragroute evade NIDS detection?

Michael Holstein

Network based Intrusion Detection Systems (NIDS) are typically configured to passively monitor network traffic on a segment by way of a hardware tap or other tactic such as use of the switchport-monitor command (Cisco IOS) allowing the NIDS to monitor, and in some cases, inject traffic for all hosts and destinations passing through the segment.

Most NIDS systems are pattern based, requiring a large set (typically ~1500+) signatures to alert based on a specific combination of TCP flags in the header, or a set pattern in the payload. The accuracy of this approach depends, of course, on the skill of the administrator writing the signature, but in most cases this provides for very accurate detection of a specific attack, and will not catch new or modified attacks.

Statistically based NIDS systems, which are usually used in conjunction with pattern matching, tries to establish a baseline of activity and alert when packets are “statistically significant” in their deviation from the norm – a mathematical way of saying “weird packet”. Unlike pattern matching, this tactic can catch new (and only occasionally, more creative) attacks at the cost of being rather noisy and requiring human analysis of all alerts.

Because most NIDS systems operate in layer 2 (OSI), they simply feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host’s TCP/IP stack – allowing the NIDS to analyze traffic the host would otherwise discard. This approach also has the disadvantage that packets can be intentionally crafted in such a way as to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload.

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, written by Ptacek & Newsham (1998), details a number of these attack methods, which are summarized below. The techniques described in Ptacek & Newsham were used by programmer Dug Song to create Fragroute.

Fragroute, by its own assertion [man(8) page], “…intercepts, modifies, and rewrites egress traffic destined for the specified host, implementing most of the attacks described in the Secure Networks “Insertion, Evasion, and Denial of Service ‘Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection’ paper of January 1998.”

Terms and Conventions used in this document
Software :
Snort : Network Intrusion Detection (NIDS).

Tcpdump : Packet capture utility.

Ethereal : Packet analysis utility.

Fragroute : Packet shaper.
Obfuscation : source and destination hosts/networks are aliased as follows :
Attack.source : host initiating the attack : host running the daemon under attack.
Session logs : mathematical operands are used to indicate direction of communication :
‘>’ : commands issued from the attack.source
‘<’ : command results returned from attack.server
How It Works
To determine the effectiveness of Fragroute in obscuring a potential attack, three hosts were used : one running fragroute as the source, a second running wu-ftpd as the target, and a third running Tcpdump, Snort, and Ethereal for capture and analysis. All three hosts were connected to an isolated network segment.

Because the purpose of this analysis was the evasion technique and not the attack itself, I chose a common FTP exploit – attempting to “cd ~root” while authenticated as an unprivileged user. This exploit is well documented [CVE-1999-0082] and reliably detected by most NIDS systems.

It involves the following commands (comments indicate where packet logging started and stopped for all examples which follow) :

Attack.source > ftp
              < 220 FTP server ready
              > user unprivileged
              < 331 password required for unprivileged
              > pass mypassword
              < 230 user unprivileged logged in
              > cd ~root                              #network trace begins
              < 250 CWD command successful            #network trace ends

For a baseline, the above sequence (logged where indicated) was executed without the use of Fragroute using Tcpdump for capture and Ethereal for analysis :


Snort immediately complained :


The attack was then repeated using Fragroute to obscure the attempt. The standard ruleset (provided when Fragroute is compiled) was used for testing. The function of each rule is explained as comments :


The session was again logged with Tcpdump and analyzed with Ethereal :


A request/response which would typically require only 3 packets now uses 38. Our original request of “cd ~root” is sent out of order in packets 7, 11, 18, 19 and 22 with 1 or 2 byte payloads. Packets 1, 2, 3, 4, 5, 6, 7 are duplicate “chaf” packets issued as part of the FTP session.

The remaining packets from the attack.source are“chaf” packets with a variety of problems, including short headers, invalid checksums, or are duplicates. Packets from the returned are ACKs for the chaf packets which correctly checksumed by the remote IP stack.


The fragmented stream was correctly reassembled by the target’s IP stack, resulting in the “250” success command in packet 35. Fragroute does not manipulate reverse traffic.

Snort –1.8.6 failed to detect any elements of the attempt.

Nature of the threat
The thought of a potential attacker being able to download an 83k of software and make themselves invisible to a well-laid and meticulously maintained network of security hardware and software would agitate even the most sedate of security staff. Intrusion detection systems provide valuable warning as potential threats test your network, and (usually) provide the evidence to figure out what happened if they beat you at finding something of interest.

According to Marty Roesch, snort 1.9 (currently under development) “…deals with some of the more interesting attacks from fragroute…” (Roesch, 1). Testing this theory involved compiling snort-current from CVS and replaying the same tcpdump file used previously through it using snortrules-current, also from CVS. Snort detected some of the “chaf” fragments as a portscan, and the responses from garbage packets as “Evasive RST” – neither of which identifies the original attack. Tracking snort-current will address the issue eventually, but at present it appears that NIDS systems are still unable to cope with an attack wrapped by Fragroute.

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED to port 22646 from attack.source (STEALTH) [**] 05/06-11:30:43.912934

[**] [111:2:1] spp_stream4: possible EVASIVE RST detection [**]
05/02-20:58:16.589253 -> attack.source:21862
TCP TTL:59 TOS:0x10 ID:47366 IpLen:20 DgmLen:42 DF
***A*R** Seq: 0x55626D41 Ack: 0x726E5455 Win: 0x4733 TcpLen: 20

[**] [111:2:1] spp_stream4: possible EVASIVE RST detection [**]
05/02-20:58:16.599253 -> attack.source:26951
TCP TTL:59 TOS:0x10 ID:49947 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x5447766C Ack: 0x68534F74 Win: 0x364E TcpLen: 20

Possible Solutions To The Vulnerability
  • Use a host-based IDS system on exposed systems. Host based IDS systems are able to detect malicious activity by monitoring at the application layer, and are able to report on entries created in the system or access logs. Logsnorter is one such example [].
  • Upgrade your NIDS software. Vendors are presently scrambling to address the issues created by Fragroute and will figure it out eventually. <
Lemos, Robert. New tool camouflages hacker programs. ZdNet Australia. 22 April 2002.,2000024985,20264745,00.htm

Mitre. Common Vulnerabilities and Exposures. 27 August 1999.

Ptacek, Thomas & Newsham, Timothy. “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”. Secure Networks, January 1998.

Roesch, Marty. News. 7 May 2002.

Song, Dug. “Fragroute(8)”

Timm, Kevin.IDS Evasion Techniques and Tactics. SecurityFocus (Infocus). 7 May, 2002