Virtual IP Phalanx Router
... a study of attack router concepts
[Download
|Documentation
|License
]
Introduction
The IRPAS program collection can be used to perform
routing protocol attacks. Often, the approach is to redirect a traffic stream
through another router which is under the control of an attacker.
Existing systems can be used to do this since most operating systems provide
routing capabilities. But what, if such a system is not available? Or the
attacker got a system to reroute it's traffic through another one just to
discover that the new router immediately send back an ICMP redirect to correct
the routing?
Another problem we are aware of is that the GRE tunnel intrusion described in
our GRE paper can't be done without modification
of all used tools - which would be a pain.
The Study
Since there are so many problems and uncertain circumstances you are facing
when doing routing or tunneling attacks, we decided to start a study of an
attack router software. The idea has the same sources as port scanners have:
you can use exisiting tools to scan ports (such as telnet(1)), but this is
unflexible and not powerful enough. So people started to write software just
for attackers, which later became today's huge amount of port scanners.
The same idea applies for routers: If exisiting routing software can't fulfill
your desires as a Gray Hat, create a router software that is just for this
kind of stuff.
The Virtual IP Phalanx Router is a study object - not a product. But since
most open source projects would acknowledge the fact that there is a big
part just study, we thought that publishing this thing wouldn't hurt.
VIPPR concepts
VIPPR is a user land software that runs on Linux. To begin with an internal:
VIPPR is just a sniffer/protocol analyser that knows something about how to
handle certain kind of traffic and reacts accordingly.
You can bind as much virtual IP addresses to an exising interface as you
want. These are not used by the kernel - the kernel dosen't even
know about them. These Virtual IPs (or VIPs) can have several properties. In
fact, there are different kinds of VIPs available to you. But you don't just
bind IPs to an interface, you also select the MAC address they use.
This enables you to impersonate any device on your network on the lower
layers.
In contrast to conventional routers, VIPPR does not use one routing table but
as much as you like. You can create routing tables and VIPs independent from
each other. Then, you assign a routing table to your VIP. All VIPs that are in
the same routing group can forward traffic from one to another. VIPs that are
in a different routing group can't. It's the concept you know from VLANs - but
just for routing.
To enable users to perform GRE intrusion attacks without changing their
existing tools, VIPPR supports VIPs which do GRE encapsulation for any Tunnel
you can think of and send them to the tunnel destination IP. This makes it
possible to do a GRE intrusion just by setting up this VIP and have your
workstation route it's traffic through this VIP.
VIPPR limitations
First, as all study code from us, this one is portable as a aircraft carrier
on land and may be as buggy as some FTP servers. We are currently working in
the background on another version which will be cleaner and probably even
portable.
At the moment, all VIPs share the same ARP table. In the next major version,
the ARP table will be per VIP, which serves the concept of VIPs better.
Another limitation is that the software only runs on Linux and requires the
box to be his own. To achive throughput that can handle a fully loaded
100MBit network, we had to make it very "processor-hurting". Take a
dedicated machine to run it - any 386 will do.
The tunnel intrusion part is still only for GRE. We will support GRE source
routing attacks and several other encapsulation methods in the future.
Additionally, we work in VLAN hop capability for VIPPR as well.