A connection cutter

What for ?

Couic has been designed to enforce a security policy on an internal network: it listens to everything and shoots.

How does it work?

Currently, couic is based upon the libnet and libpcap libraries; in the first version, its argument had to be an expression à la tcpdump. I added a configuration language but it is a little "surprising".

Couic shuts the TCP connections down with RST packets and tries to disrupt UDP transfers with ICMP "host unreachable / bad port" answers.

Where is the f... manual?

There isn't any! For the configuration language, have a look at grammar.y
couic knows those options:

-i eth0
Listen on this network interface.: -f file
Read the commands from file...: -t
Next args are a tcpdump expression; couic kills everything that matches.

A few examples with tcpdump

Deny any traffic on a network
couic tcp or udp
Deny any traffic to or from the gizmo machine
couic \( tcp or udp \) and host gizmo
Deny telnet on the whole network
couic tcp and port 23

Some examples with the configuration language

Deny any traffic on a network
{any/tcp any/udp} { }
Deny any traffic to or from the gizmo machine.
{any/tcp any/udp} { deny gizmo }
Deny telnet on the whole network
{23/tcp} { }
Allow telnet only between A and B
{23/tcp} { allow between A and B }
Allow telnet only from the 192.168.17.0 network
{23/tcp} { allow from 192.168.17.0/24 to any }

The name...

Couic is a silly and meaningless name. A friend gave it a much better name: Cutting Off Unwanted IP Connections. As it is a little long, you may shorten it into couic.

To be done

Remove some traps in the command language.
Enable different policies, depending on the time or the date.
Do some nasty things - RST or ICMP "bad port" packets are not so bad.

Limitations

Couic is not very efficient against protocols which use small UDP transfers. e.g. it cannot block the DNS service.
Couic is powerless on a switched network.
Couic is a dangerous weapon that can badly disrupt a network. Before you do some bad tricks against your colleagues, I want to let you know that arpwatch easily sees the packets that couic sends and that this kind of gag can cost you three years in jail in France... and probably in other countries.

Licence, copyright

This code is freely available under the GNU Public Licence, without any warranty. Companies which are victims of a malicious use of couic are kindly requested to keep me out of those affairs.
According to french law, the "intellectual right" cannot be dropped, so I may still oppose any "inappropriate" use of this tool. By "inappropriate" I mean anything that is against law (see previous paragraph) or business related and against the GPL, or any wicked trick that may hurt anyone (including me, of course).

Source

couic-0.2.2.tar.gz
Libnet 1.0. You can find the last version on http://www.packetfactory.net/libnet/
Just in case, you can find libpcap on http://www.tcpdump.org/

Forum

I created a mailing list to discuss about the development of this terrific tool that will soon change drastically network security ;-)
http://www.egroups.com/group/couic
Subscribe to couic-subscribe@egroups.com

Michel Arboi

Last modified: Sun Mar 25 16:19:29 CEST 2007