VIPPR

Virtual IP Phalanx Router

... a study of attack router concepts

[Download |Documentation |License ]

Introduction

The IRPAS program collection can be used to perform routing protocol attacks. Often, the approach is to redirect a traffic stream through another router which is under the control of an attacker.
Existing systems can be used to do this since most operating systems provide routing capabilities. But what, if such a system is not available? Or the attacker got a system to reroute it's traffic through another one just to discover that the new router immediately send back an ICMP redirect to correct the routing?
Another problem we are aware of is that the GRE tunnel intrusion described in our GRE paper can't be done without modification of all used tools - which would be a pain.

The Study

Since there are so many problems and uncertain circumstances you are facing when doing routing or tunneling attacks, we decided to start a study of an attack router software. The idea has the same sources as port scanners have: you can use exisiting tools to scan ports (such as telnet(1)), but this is unflexible and not powerful enough. So people started to write software just for attackers, which later became today's huge amount of port scanners.
The same idea applies for routers: If exisiting routing software can't fulfill your desires as a Gray Hat, create a router software that is just for this kind of stuff.
The Virtual IP Phalanx Router is a study object - not a product. But since most open source projects would acknowledge the fact that there is a big part just study, we thought that publishing this thing wouldn't hurt.

VIPPR concepts

VIPPR is a user land software that runs on Linux. To begin with an internal: VIPPR is just a sniffer/protocol analyser that knows something about how to handle certain kind of traffic and reacts accordingly.
You can bind as much virtual IP addresses to an exising interface as you want. These are not used by the kernel - the kernel dosen't even know about them. These Virtual IPs (or VIPs) can have several properties. In fact, there are different kinds of VIPs available to you. But you don't just bind IPs to an interface, you also select the MAC address they use. This enables you to impersonate any device on your network on the lower layers.
In contrast to conventional routers, VIPPR does not use one routing table but as much as you like. You can create routing tables and VIPs independent from each other. Then, you assign a routing table to your VIP. All VIPs that are in the same routing group can forward traffic from one to another. VIPs that are in a different routing group can't. It's the concept you know from VLANs - but just for routing.
To enable users to perform GRE intrusion attacks without changing their existing tools, VIPPR supports VIPs which do GRE encapsulation for any Tunnel you can think of and send them to the tunnel destination IP. This makes it possible to do a GRE intrusion just by setting up this VIP and have your workstation route it's traffic through this VIP.

VIPPR limitations

First, as all study code from us, this one is portable as a aircraft carrier on land and may be as buggy as some FTP servers. We are currently working in the background on another version which will be cleaner and probably even portable.
At the moment, all VIPs share the same ARP table. In the next major version, the ARP table will be per VIP, which serves the concept of VIPs better.
Another limitation is that the software only runs on Linux and requires the box to be his own. To achive throughput that can handle a fully loaded 100MBit network, we had to make it very "processor-hurting". Take a dedicated machine to run it - any 386 will do.
The tunnel intrusion part is still only for GRE. We will support GRE source routing attacks and several other encapsulation methods in the future. Additionally, we work in VLAN hop capability for VIPPR as well.