Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a
detection engine and rely on the pattern matching and/or statistical analysis to determine what is
malicious. Packets are not processed by the host’s TCP/IP stack allowing the NIDS to analyze
traffic the host would otherwise discard. Which of the following tools allows an attacker to
intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly
assembled by the host TCP/IP stack to render the attack payload?
A.
Defrag
B.
Tcpfrag
C.
Tcpdump
D.
Fragroute
Explanation:
fragroute intercepts,modifies,and rewrites egress traffic destined for a specified
host,implementing most of the attacks described in the Secure Networks “Insertion,Evasion,and
Denial of Service: Eluding Network Intrusion Detection” paper of January 1998. It features a
simple ruleset language to delay,duplicate,drop,fragment,overlap,print,reorder,segment,sourceroute,or otherwise monkey with all outbound packets destined for a target host,with minimal
support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the
testing of network intrusion detection systems,firewalls,and basic TCP/IP stack behaviour.
D