RFC3514: Setting the Evil Bit

Every once in a while, a good joke can turn into a useful feature. On April 1st, 2003, Steven Bellovin published RFC 3514, entitled "The Security Flag in the IPv4 Header". This document suggested that the "unused bit" in the IP Flags field of the IPv4 packet header should be used to convey security information. Specifically, the document stated that the "evil bit" should be set to one for all attack traffic, while benign traffic should leave it set to zero. Network devices, such as firewalls, should drop all traffic with this bit set. The assumption, of course, is that malicious users would always follow the RFC and set the evil bit for any packets used in an attack. While most folks who saw this RFC realized it was a joke, quite a few people contacted Bellovin asking for clarification. You can see an archive of the responses on Mr. Bellovin's web site.

So, how is this useful? The BreakingPoint BPS-1000 product supports multiple concurrent tests. The traffic leaving the four test ports can be a combination of re-created traffic streams, generated application traffic

, high-speed TCP sessions, and exploits. If you are developing a security product, such an IPS or IDS, trying to debug attack detection under a heavy traffic load can be problematic. If only there was an easy way to identify the "evil" traffic in the stream...

The evil bit to the rescue! The BreakingPoint BPS-1000 supports setting the evil bit for all attack traffic sent by the

Security

component. To enable RFC 3514 support:

  1. Login to the BPS-1000 interface.
  2. Access the Attack Manager and create a new Attack Series.
  3. Add the desired exploits to the Strikes group.
  4. Click the Parameters button. The system will examine the selected strikes and present you with a list of all available parameters.
  5. Select the IP option group from the Parameters Filter drop-down box. The option list will now show IP related parameters.
  6. Select the RFC3514 option and change the value to true.
  7. Close the Parameters dialog.
  8. Select New Test from the Test menu.
  9. Add a Security component.
  10. Select the Targeted Attack screen.
  11. Choose the Attack Series you just created from the list.

At this point, you can add other components, such as the

Bit Blaster

and

Session Sender

, or just run the test as is. Once the test is running, you can use the following

tcpdump

BPS filter to match the evil traffic:

#  tcpdump -vn 'ip[6] & 128 != 0'
Posted by HD Moore
0 comments
Tags:
Post a Comment
  7. Leave this field empty

Required Field

Videos

More >


Interact





 LinkedIn

YouTube

Newsletter


Subscribe to BreakingPoint Labs blog by email:

Type in your email, hit submit and quickly verify your address.