How to set the Evil Bit on outgoing traffic

Question

So for a security related application I'm writing, I actually want to use RFC3514 ("The Evil Bit") to determine what set of traffic across the network is evil or not at a per packet level. This is used as training data for an assisted machine learning engine, so the app has to know before hand what packets are evil and which are not.

This ought to be fairly simple, it's just setting a single IP layer bit. I've tried looking into doing this with iptables or libpcap, but either they don't have the functionality or I failed to discover it.

Being able to set it for all traffic out of a machine would be fine, but filters on what comes out would be better. (Like being able to specify what higher layer protocols get it set, etc...)

I'm using Ubuntu, as well. So Linux solutions preferred. But otherwise, it doesn't really matter what method is used to accomplish this. Bash script, c/c++ app, setting some sysctl, whatever.

Answer 1

Apparently this was actually implemented for FreeBSD - maybe you could look at their code?

http://www.cs.columbia.edu/~smb/3514.html

Answer 2

You have two options:

One is to use https://code.google.com/p/evilbitchanger/ , a scapy based script that does the Evil Bit setting work for you.

The other is to use raw scapy scripting to craft the packets with Evil bit. As documented, Scapy is capable of setting the Evil Bit flag quite easily.

>>> t=TCP()
>>> t.flags="SA"
>>> t.flags 
18
>>> t
<TCP flags=SA |>
>>> t.flags=23
>>> t
<TCP flags=FSRA |>
>>> i=IP(flags="DF+MF")
>>> i.flags
3
>>> i
<IP flags=MF+DF |>
>>> i.flags=6
>>> i
<IP flags=DF+evil |>

Hope this helps.