Skip to content →

Category: Bouncer

A bouncer bounces packets it receives from clients to servers. This is useful when people want to hide their internal network topologies. In this report, we examine a very simple case of bouncer — a bouncer that only bounces ICMP requests. When it receives an ICMP echo request, it modify the packet and forward it to the server specified by the user. After receiving the echo reply packet, it again modifies the packet and finds out where to send the packet and then sends out the reply packet. Done in 2010.

Testing Bouncer

Static testing is used to test the bouncer, that is, a separate set of test cases and sample outputs are provided. And the bouncer is given the test cases and its outputs are compared with sample outputs.

A verifier is used to accomplish the above function, and another bash script is written to automate the process.

The bash script is as follows:

#!/bin/sh

USAGE="Usage: $0 [-v] bouncer" 
CMD="./verifier "
TESTDIR="cases"

while getopts "v" optname
do
    case "$optname" in
        "v")
        CMD="./verifier -v "
        ;;
        *)
        echo $USAGE

exit 1
        ;;
    esac
done
shift $(($OPTIND-1))
BCER=$*

if [ -f "$BCER" ]
then
    find "$TESTDIR" -iname "*pcap" | while read i
do
    if [ -f "$i" ] && [ -f "$i"-ref ]
    then
        echo "======================================================================"
        echo "Verifying file: $i"
        $BCER -t -l 1.1.1.1 -s 3.3.3.3 <"$i" >"$i"-out
	BCRT=$?
	echo
"----------------------------------------------------------------------"
        if [ $BCRT != 0 ]
        then
            echo "$BCER returned with $?"
            echo "Exiting $0"
            exit 1
        fi
        $CMD -i "$i"-out -r "$i"-ref
	CMDRT=$?
	echo "----------------------------------------------------------------------"
        echo "Result for $i:"
	echo "$CMDRT packets has passed validation"
        echo
"======================================================================"
	echo "n"
    fi
done
else
    echo $USAGE
fi

exit 0

The verifier is as follows:

#include "verifier.h"
typedef unsigned short u16;
typedef unsigned long u32;

/* CRC
 * Adopted from http://www.netfor2.com/ipsum.htm

*/
u16 ip_sum_calc(u16 len_ip_header, u16 buff[]) {
    u16 word16;
    u32 sum = 0;
    u16 i;

    // make 16 bit words out of every two adjacent 8 bit words in the packet
    // and add them up
    for (i = 0; i < len_ip_header; i = i + 2) {
        word16 = ((buff[i] << 8)&0xFF00)+(buff[i + 1]&0xFF);
        sum = sum + (u32) word16;
    }

    // take only 16 bits out of the 32 bit sum and add up the carries
    while
(sum >> 16)
        sum = (sum & 0xFFFF)+(sum >> 16);

    // one's complement the result
    sum = ~sum;

    return ((u16) sum);
}

int usage() {
    fprintf(stderr, "Usage: verifier [-v] -i input_file -r reference_filen");
    exit(1);
}

int main(int argc, char **argv) {
    int verbose = 0;
    opterr = 0;
    char c;
    char *ifilename, *rfilename;
    struct stat st;
    while ((c = getopt(argc, argv,
"vi:r:")) != -1) {
        if (c == 'i') {
            ifilename = optarg;
            if (stat(ifilename, &st) != 0) {
                fprintf(stderr, "File does not exist!n");
                exit(1);
            }
        } else if (c == 'r') {
            rfilename = optarg;
            if (stat(rfilename, &st) != 0) {
                fprintf(stderr, "File does not exist!n");
                exit(1);
            }

} else if (c == 'v') {
            verbose = 1;
        } else {
            usage();
        }
    }

    pcap_t *ihandle = NULL, *rhandle = NULL;
    char errbufi[PCAP_ERRBUF_SIZE], errbufr[PCAP_ERRBUF_SIZE];
    ihandle = pcap_open_offline(ifilename, errbufi);
    rhandle = pcap_open_offline(rfilename, errbufr);
    struct pcap_pkthdr ihdr, rhdr;
    const u_char *ipkt, *rpkt;
    ipkt = malloc(MAX_PACKET_SIZE);
    rpkt =
malloc(MAX_PACKET_SIZE);
    if (ipkt == NULL || rpkt == NULL) {
        perror("malloc");
        exit(1);
    }
    int pc = -1; /* Packet counter */
    char flags[MAX_PACKETS_NO]; /* Broken or Not */
    memset(flags, PKT_OK, MAX_PACKETS_NO);
    while ((ipkt = pcap_next(ihandle, &ihdr)) && (rpkt = pcap_next(rhandle, &rhdr))) {
        pc++;
        /* Typecasting input packet*/
        const struct
sniff_ethernet *iethernet; /* The ethernet header */
        const struct sniff_ip *iip; /* The IP header */
        const struct sniff_icmp *iicmp; /* The ICMP header */
        const char *ipayload; /* Packet payload */
        u_int isize_ip;
        iethernet = (struct sniff_ethernet*) (ipkt);
        iip = (struct sniff_ip*) (ipkt + SIZE_ETHERNET);
        isize_ip = IP_HL(iip)*4;
        if (isize_ip < 20) {
            fprintf(stderr, "   * Invalid
IP header length: %u bytesn", isize_ip);
            continue;
        }
        iicmp = (struct sniff_icmp*) (ipkt + SIZE_ETHERNET + isize_ip);
        ipayload = (char *) (ipkt + SIZE_ETHERNET + isize_ip + SIZE_ICMP);
        /* Typecasting reference packet*/
        const struct sniff_ethernet *rethernet; /* The ethernet header */
        const struct sniff_ip *rip; /* The IP header */
        const struct sniff_icmp *ricmp; /* The ICMP header */

const char *rpayload; /* Packet payload */
        u_int rsize_ip;
        rethernet = (struct sniff_ethernet*) (rpkt);
        rip = (struct sniff_ip*) (rpkt + SIZE_ETHERNET);
        rsize_ip = IP_HL(rip)*4;
        if (rsize_ip < 20) {
            fprintf(stderr, "   * Invalid IP header length: %u bytesn", rsize_ip);
            continue;
        }
        ricmp = (struct sniff_icmp*) (rpkt + SIZE_ETHERNET + rsize_ip);
        rpayload = (char *) (rpkt
+ SIZE_ETHERNET + rsize_ip + SIZE_ICMP);

        /* Here comes the validation process */
        /* Check IP checksum */
        u16 ipbuf[isize_ip];
        u16 ipsum = ntohs(iip->ip_sum);
        int i;
        for (i = 0; i < isize_ip; i++) {
            if (i == 10 || i == 11)
                ipbuf[i] = 0x00;
            else
                ipbuf[i] = *((u_char *) (ipkt + SIZE_ETHERNET + i));
        }
        if (ipsum !=
ip_sum_calc(isize_ip, ipbuf)) {
            flags[pc] = ERR_IP_SUM;
            continue;
        }
        /* Check ICMP checksum */
        int plen = ihdr.len - SIZE_ETHERNET - isize_ip - 8;
        u16 icmpbuf[8 + plen];
        u16 icmpsum = ntohs(iicmp->icmp_sum);
        for (i = 0; i < 8; i++) {
            if (i == 2 || i == 3)
                icmpbuf[i] = 0x00;
            else
                icmpbuf[i] = *((u_char *) (ipkt +
SIZE_ETHERNET + isize_ip + i));
        }
        for (i = 0; i < plen; i++) {
            icmpbuf[i + 8] = *((u_char *) (ipayload + i));
        }
        if (icmpsum != ip_sum_calc(8 + plen, icmpbuf)) {
            flags[pc] = ERR_ICMP_SUM;
            continue;
        }
        /* Check IP TTL */
        if (iip->ip_ttl <= 0) {
            flags[pc] = ERR_IP_TTL;
            continue;
        }
        /* Check IP source
address */
        if (iip->ip_src.s_addr != rip->ip_src.s_addr) {
            flags[pc] = ERR_IP_SADDR;
            continue;
        }
        /* Check IP destinataion address */
        if (iip->ip_dst.s_addr != rip->ip_dst.s_addr) {
            flags[pc] = ERR_IP_DADDR;
            continue;
        }

        /* Check ICMP type */
        if (iicmp->icmp_type != ricmp->icmp_type) {
            flags[pc] = ERR_ICMP_TYPE;

continue;
        }
        /* Check ICMP ID */
        if (iicmp->icmp_id != ricmp->icmp_id) {
            flags[pc] = ERR_ICMP_ID;
            continue;
        }
        /* Check ICMP sequence number */
        if (iicmp->icmp_sequence != ricmp->icmp_sequence) {
            flags[pc] = ERR_ICMP_SEQ;
            continue;
        }
    }
    pc++;
    int bc = 0; /* Broken packet counter */
    int i;
    for (i = 1; i <= pc;
i++) {
        if (flags[i-1])
            bc++;
        if (verbose) {
            switch (flags[i-1]) {
                case PKT_OK:
                    fprintf(stdout, "Validation passed: %d/%dn", i, pc);
                    break;
                case ERR_IP_SUM:
                    fprintf(stdout, "IP checksum failed: %d/%dn", i, pc);
                    break;
                case ERR_IP_TTL:
                    fprintf(stdout, "IP TTL check
failed: %d/%dn", i, pc);
                    break;
                case ERR_IP_SADDR:
                    fprintf(stdout, "IP source address check failed: %d/%dn", i, pc);
                    break;
                case ERR_IP_DADDR:
                    fprintf(stdout, "IP destination address check failed: %d/%dn", i, pc);
                    break;
                case ERR_ICMP_SUM:
                    fprintf(stdout, "ICMP checksum
failed: %d/%dn", i, pc);
                    break;
                case ERR_ICMP_TYPE:
                    fprintf(stdout, "ICMP type check failed: %d/%dn", i, pc);
                    break;
                case ERR_ICMP_ID:
                    fprintf(stdout, "IP ID check failed: %d/%dn", i, pc);
                    break;
                case ERR_ICMP_SEQ:
                    fprintf(stdout, "IP sequence check failed: %d/%dn", i, pc);

break;
                default:
                    fprintf(stderr, "ERROR: Unknwon error type.n");
                    break;
            }
        }
    }
    if (bc == 0)
        fprintf(stdout, "%d packets passed validationn", pc);
    else
        fprintf(stdout, "%d out of %d packets failed validationn", bc, pc);
    /* Return number of packets passed validation */
    return (pc - bc);
}
Leave a Comment

Technical Details

We define a BPF filter as “icmp and dst host <bouncer_ip>”, which filters out all none-ICMP packets and packets not destined to the bouncer. The we compile this filter and set the filter to the capture device.

When the capture device captures a packet, a process_pkt function is called to process the packet. And that is where we validate the packets and then, if the packet is valid, update
the packet and then send it out, or write the packet to a dump file.

The process of validating the packets are as follows:

  1. Validate checksum of IP header.
  2. Validate TTL of IP.
  3. Validate IP source address
  4. Validate ICMP header checksum. 
  5. Validate ICMP type and code. 

Since we write the packet to a dump file in a separate function, so a pointer to the dump file handler is passed to the processing function when the process_pkt function is called. The same method is used to pass server IP address and test mode flag.

We keep a linked list of all the ICMP echo requests. When a ICMP echo reply is received, we go through the linked list to find out where
the original echo request comes from.

The code is as follows.

bouncer.h:

/* Global definitions for the port bouncer
 * Packet headers and so on
 */

#define _BSD_SOURCE 1

#include 
#include 
#include 
#include 
#include 

/* PCAP declarations*/
#include 

/* Standard networking declaration */
#include 
#include 
#include 

/*
 * The following system include files should provide you with the 
 * necessary declarations for Ethernet, IP, and TCP headers
 */

#include 
#include 
#include 
#include 

/* Add any otherdeclarations you may need here... */

#define MAX_PACKET_SIZE 65535

/* Ethernet addresses are 6 bytes */
//#define ETHER_ADDR_LEN	6

/* Ethernet header */
struct sniff_ethernet {
    u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */
    u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */
    u_short ether_type; /* IP? ARP? RARP? etc */
};

/* IP header */
struct sniff_ip {
    u_char ip_vhl; /*version << 4 | header length >> 2 */
    u_char ip_tos; /* type of service */
    u_short ip_len; /* total length */
    u_short ip_id; /* identification */
    u_short ip_off; /* fragment offset field */
#define IP_RF 0x8000		/* reserved fragment flag */
#define IP_DF 0x4000		/* dont fragment flag */
#define IP_MF 0x2000		/* more fragments flag */
#define IP_OFFMASK 0x1fff	/* mask for fragmenting bits */
    u_char ip_ttl; /*time to live */
    u_char ip_p; /* protocol */
    u_short ip_sum; /* checksum */
    struct in_addr ip_src, ip_dst; /* source and dest address */
};
#define IP_HL(ip)		(((ip)->ip_vhl) & 0x0f)
#define IP_V(ip)		(((ip)->ip_vhl) >> 4)

/* ICMP header */
struct sniff_icmp {
    u_char icmp_type;
#define ICMP_ECHO 0x8
#define ICMP_REPLY 0x0
    u_char icmp_code;
    u_int16_t icmp_sum;
    u_int16_t icmp_id;
u_int16_t icmp_sequence;
};

#define SIZE_ETHERNET 14
#define SIZE_ICMP 8

#define IP_QUAD(ip)  (ip)>>24,((ip)&0x00ff0000)>>16,((ip)&0x0000ff00)>>8,((ip)&0x000000ff)

struct request{
    struct request* next;
    struct sniff_ip* ip;
    struct sniff_icmp* icmp;
};

process_pkt.c:

#include "bouncer.h"

/* CRC
 * Adopted from http://www.netfor2.com/ipsum.htm
 */
typedef unsigned short u16;
typedef unsigned long u32;

u16 ip_sum_calc(u16 len_ip_header, u16 buff[]) {
    u16 word16;
    u32 sum =0;
    u16 i;

    // make 16 bit words out of every two adjacent 8 bit words in the packet
    // and add them up
    for (i = 0; i < len_ip_header; i = i + 2) {
        word16 = ((buff[i] << 8)&0xFF00)+(buff[i + 1]&0xFF);
        sum = sum + (u32) word16;
    }

    // take only 16 bits out of the 32 bit sum and add up the carries
    while (sum >> 16)
        sum = (sum & 0xFFFF)+(sum >> 16);

    // one'scomplement the result
    sum = ~sum;

    return ((u16) sum);
}

void process_pkt(u_char *args, struct pcap_pkthdr *header,
        u_char *packet) {
    if(header->caplen < header->len){
        fprintf(stderr, "ERROR: Packet data not captured completely\n");
        return;
    }
    /* Main function to perform the bouncing */
    u_char testmode = *args;
    char *serv_addr = (char *) (args + 1);
    u_int32_t dst_addr =inet_addr(serv_addr);
    //pcap_dumper_t *dumper = NULL;
    u_char *dumper = NULL;
    memcpy(&dumper, args + 2 + strlen(serv_addr), sizeof (pcap_dumper_t *));
    struct request ** prequests = NULL;
    memcpy(&prequests, args + 2 + strlen(serv_addr) + sizeof (pcap_dumper_t *), sizeof (struct request**));
    //struct request *requests = *prequests;

    /* Typecasting packet*/
    struct sniff_ethernet *ethernet; /* The ethernet header */
struct sniff_ip *ip; /* The IP header */
    struct sniff_icmp *icmp; /* The ICMP header */
    char *padding; /* Packet padding */
    u_int size_ip;
    ethernet = (struct sniff_ethernet*) (packet);
    ip = (struct sniff_ip*) (packet + SIZE_ETHERNET);
    size_ip = IP_HL(ip)*4;
    u_int32_t srcip = ntohl(ip->ip_src.s_addr);
    if (size_ip < 20 || size_ip > header->len - SIZE_ETHERNET) {
        fprintf(stderr, "ERROR: Invalid IP header length: %ubytes\n", size_ip);
        if (testmode == 1) {
            header->caplen = 0;
            header->len = 0;
            pcap_dump(dumper, header, packet);
        }
        return;
    }
    icmp = (struct sniff_icmp*) (packet + SIZE_ETHERNET + size_ip);
    padding = (u_char *) (packet + SIZE_ETHERNET + size_ip + SIZE_ICMP);

    /* Validate the packet */
    /* Validate IP header */
    /* Check IP version */
    u_char v = ip->ip_vhl>> 4;
    if(v != 4){
        fprintf(stderr, "ERROR: Wrong IP verison %d\n", v);
        return;
    }
    /* Validate CRC */
    u16 ipbuf[size_ip];
    u16 ipsum = ntohs(ip->ip_sum);
    int i;
    for (i = 0; i < size_ip; i++) {
        if (i == 10 || i == 11)
            ipbuf[i] = 0x00;
        else
            ipbuf[i] = *((u_char *) (packet + SIZE_ETHERNET + i));
    }
    if (ipsum != ip_sum_calc(size_ip, ipbuf)) {
fprintf(stderr, "ERROR: ip checksum mismatch. Dropping packet from %u.%u.%u.%u\n",
                IP_QUAD(srcip));
        if (testmode == 1) {
            header->caplen = 0;
            header->len = 0;
            pcap_dump(dumper, header, packet);
        }
        return;
    }
    /* Validate TTL */
    if (ip->ip_ttl <= 0) {
        fprintf(stderr, "ERROR: ip TTL expired. Dropping packet from %u.%u.%u.%u\n",
IP_QUAD(srcip));
        if (testmode == 1) {
            header->caplen = 0;
            header->len = 0;
            pcap_dump(dumper, header, packet);
        }
        return;
    }
    /* Validate IP source address */
    if (srcip == 0x00000000 || srcip >= 0xE0000000
            || (srcip & 0x000000FF) == 0x000000FF || (srcip & 0x000000FF) == 0x00000000) {
        fprintf(stderr, "ERROR: ip source address invalid. Dropping packetfrom %u.%u.%u.%u\n",
                IP_QUAD(srcip));
        if (testmode == 1) {
            header->caplen = 0;
            header->len = 0;
            pcap_dump(dumper, header, packet);
        }
        return;
    }

    /* Validate ICMP header */
    /* Validate ICMP type and code */
    if (!(icmp->icmp_code == 0 && (icmp->icmp_type == 0 || icmp->icmp_type == 8))) {
        fprintf(stderr, "ERROR: icmp type orcode unsupported. Dropping packet from %u.%u.%u.%u\n",
                IP_QUAD(srcip));
        if (testmode == 1) {
            header->caplen = 0;
            header->len = 0;
            pcap_dump(dumper, header, packet);
        }
        return;
    }
    /* Validate CRC */
    int plen = header->len - SIZE_ETHERNET - size_ip - 8;
    u16 icmpbuf[8 + plen];
    u16 icmpsum = ntohs(icmp->icmp_sum);
    for (i = 0; i < 8;i++) {
        if (i == 2 || i == 3)
            icmpbuf[i] = 0x00;
        else
            icmpbuf[i] = *((u_char *) (packet + SIZE_ETHERNET + size_ip + i));
    }
    for (i = 0; i < plen; i++) {
        icmpbuf[i + 8] = *((u_char *) (padding + i));
    }
    if (icmpsum != ip_sum_calc(8 + plen, icmpbuf)) {
        fprintf(stderr, "ERROR: icmp checksum mismatch. Dropping packet from %u.%u.%u.%u\n",
                IP_QUAD(srcip));
        if(testmode == 1) {
            header->caplen = 0;
            header->len = 0;
            pcap_dump(dumper, header, packet);
        }
        return;
    }

    /* Update the packet */
    if (icmp->icmp_type == 0) {
        /* ICMP echo reply */
        ip->ip_src.s_addr = ip->ip_dst.s_addr;
        /* Search the linked list for client address */
        if (*prequests == NULL) {
            fprintf(stderr, "ERROR: process_pkt: nullrequest linked list\n");
            return;
        } else {
            /* Find where the request comes from */
            struct request *r;
            for (r = *prequests; r != NULL; r = r->next) {
                if (r->icmp->icmp_id == icmp->icmp_id && r->icmp->icmp_sequence == icmp->icmp_sequence) {
                    ip->ip_dst.s_addr = r->ip->ip_src.s_addr;
                    break;
                }
}
            if (r == NULL) {
                fprintf(stderr, "ERROR: no match echo requests in stack\n");
                return;
            }
            /* Remove the request from the linked list */
            struct request *rr = *prequests;
            if (rr == r) {
                free(rr->icmp);
                free(rr->ip);
                *prequests = r->next;
                free(r);
            } else {
                while (rr!= r)
                    rr = rr->next;
                free(rr->icmp);
                free(rr->ip);
                rr->next = r->next;
                free(r);
            }
        }
    } else {
        /* ICMP echo request */
        /* Add new request to linked list */
        struct request *r;
        r = malloc(sizeof (struct request));
        if (r == NULL) {
            perror("ERROR: process_pkt:malloc");
            return;
        }
        struct sniff_ip *ipt = malloc(sizeof (struct sniff_ip));
        if (ipt == NULL) {
            perror("ERROR: process_pkt: malloc");
            return;
        }
        memcpy(ipt, ip, sizeof (struct sniff_ip));
        r->ip = ipt;
        struct sniff_icmp* icmpt = malloc(sizeof (struct sniff_icmp));
        if (icmpt == NULL) {
            perror("ERROR: process_pkt: malloc");
return;
        }
        memcpy(icmpt, icmp, sizeof (struct sniff_icmp));
        r->icmp = icmpt;
        r->next = *prequests;
        *prequests = r;
        /* Update destination address */
        ip->ip_src.s_addr = ip->ip_dst.s_addr;
        ip->ip_dst.s_addr = dst_addr;
    }
    /* Recaculate CRC */
    for (i = 0; i < size_ip; i++) {
        if (i == 10 || i == 11)
            ipbuf[i] = 0x00;
        else
ipbuf[i] = *((u_char *) (packet + SIZE_ETHERNET + i));
    }
    ip->ip_sum = htons(ip_sum_calc(size_ip, ipbuf));
    if (testmode == 0) {
        pcap_t *handle = NULL;
        char errbuf[PCAP_ERRBUF_SIZE], *device = "tap0";
        memset(errbuf, 0, PCAP_ERRBUF_SIZE);
        if ((handle = pcap_open_live(device, MAX_PACKET_SIZE, 1, 512, errbuf)) == NULL) {
            fprintf(stderr, "ERROR: %s\n", errbuf);
            exit(1);
        }
        /*Send the packet to network */
        if (pcap_sendpacket(handle, packet, header->len) != 0) {
            perror("ERROR: process_pkt: pcap_sendpacket");
            exit(1);
        }
        pcap_close(handle);
        fprintf(stderr, "Bouncer: packet sent\n");
    } else {
        /* Or put it back on stdout */
        int i = 0;
        for (i = 0; i < ETHER_ADDR_LEN; i++)
            ethernet->ether_shost[i] = 1;
        if(icmp->icmp_type == 0) {
            for (i = 0; i < ETHER_ADDR_LEN; i++)
                ethernet->ether_dhost[i] = 2;
        } else if (icmp->icmp_type == 8) {
            for (i = 0; i < ETHER_ADDR_LEN; i++)
                ethernet->ether_dhost[i] = 3;
        }
        pcap_dump(dumper, header, packet);

////////////////////////////////////////////////////////////////////////
/*
        pcap_t *handle = NULL;
        char errbuf[PCAP_ERRBUF_SIZE], *device = "tap0";
        memset(errbuf, 0, PCAP_ERRBUF_SIZE);
        if ((handle = pcap_open_live(device, MAX_PACKETS_NO, 1, 512, errbuf)) == NULL) {
            fprintf(stderr, "ERROR: %s\n", errbuf);
            exit(1);
        }
        if (pcap_sendpacket(handle, packet, header->len) != 0) {
perror("ERROR: process_pkt: pcap_sendpacket");
            exit(1);
        }
        pcap_close(handle);
        fprintf(stderr, "Packet sent\n");
*/
        ////////////////////////////////////////////////////////////////////////

    }
    return;
}
Leave a Comment

Packet Bouncer Overview

A bouncer bounces packets it receives from clients to servers. This is useful when people want to hide their internal network topologies. In this report, we examine a very simple case of bouncer — a bouncer that only bounces ICMP requests. When it receives an ICMP echo request, it modify the packet and forward it to the server specified by the user. After receiving the echo reply packet, it
again modifies the packet and finds out where to send the packet and then sends out the reply packet.

Leave a Comment