You are here: Home Community BreakingPoint Labs Blog RFC3514: Setting the Evil Bit

RFC3514: Setting the Evil Bit

Every once in a while, a good joke can turn into a useful feature. On April 1st, 2003, Steven Bellovin published RFC 3514, entitled "The Security Flag in the IPv4 Header". This document suggested that the "unused bit" in the IP Flags field of the IPv4 packet header should be used to convey security information. Specifically, the document stated that the "evil bit" should be set to one for all attack traffic, while benign traffic should leave it set to zero. Network devices, such as firewalls, should drop all traffic with this bit set. The assumption, of course, is that malicious users would always follow the RFC and set the evil bit for any packets used in an attack. While most folks who saw this RFC realized it was a joke, quite a few people contacted Bellovin asking for clarification. You can see an archive of the responses on Mr. Bellovin's web site.

So, how is this useful? The BreakingPoint BPS-1000 product supports multiple concurrent tests. The traffic leaving the four test ports can be a combination of re-created traffic streams, generated application traffic, high-speed TCP sessions, and exploits. If you are developing a security product, such an IPS or IDS, trying to debug attack detection under a heavy traffic load can be problematic. If only there was an easy way to identify the "evil" traffic in the stream...

The evil bit to the rescue! The BreakingPoint BPS-1000 supports setting the evil bit for all attack traffic sent by the Security component. To enable RFC 3514 support:

  1. Login to the BPS-1000 interface.
  2. Access the Attack Manager and create a new Attack Series.
  3. Add the desired exploits to the Strikes group.
  4. Click the Parameters button. The system will examine the selected strikes and present you with a list of all available parameters.
  5. Select the IP option group from the Parameters Filter drop-down box. The option list will now show IP related parameters.
  6. Select the RFC3514 option and change the value to true.
  7. Close the Parameters dialog.
  8. Select New Test from the Test menu.
  9. Add a Security component.
  10. Select the Targeted Attack screen.
  11. Choose the Attack Series you just created from the list.
At this point, you can add other components, such as the Bit Blaster and Session Sender, or just run the test as is. Once the test is running, you can use the following tcpdump BPS filter to match the evil traffic:
#  tcpdump -vn 'ip[6] & 128 != 0'

Posted by HD Moore (2007-06-20 13:30:34)
0 comments | Tags: evil // 3514 //