Thank you. On Monday, December 7, 2015, David Stainton <[email protected]> wrote:
> > Dear Golang community, Edward Snowden, cypherpunks, Tor-relay operators, > low-level network hackers and TCP abolitionists, > > > I was inspired by the Snowden documents to write a TCP injection attack > detection tool. Powerful entities world wide are stock piling zero-days. > TCP injection attacks can be used to deliver many of these attacks. > > source: > https://github.com/david415/HoneyBadger > > docs: > https://honeybadger.readthedocs.org/en/latest/ > > tasty pcap for "integration testing": > https://github.com/david415/honeybadger-pcap-files > > > HoneyBadger does bidirectional TCP stream reassembly... temporarily > storing segments in ring buffer for comparison to later received > overlapping stream segments. In other words it doesn't rely on simply > matching duplicate sequence numbers but compares the actual overlapping > stream segment contents. This more thorough approach is needed to account > for TCP's retransmission which can send various segments sizes that can > differ from the original dropped segment length. Furthermore we also detect > the other injection types such as handshake hijack. > > The literature (go ahead and scour the Internet) does NOT mention all of > the TCP injection attacks that are possible. I assert that there are 5 > possible types of TCP injection attack. I describe them here: > > > https://github.com/david415/HoneyBadger_docs/blob/hackpad1/source/how-to-detect-TCP-injection-attacks.rst > > > https://github.com/david415/HoneyBadger_docs/blob/hackpad1/source/how-to-detect-TCP-injection-attacks.rst#tcp-injection-attack-categories > > > current honeybadger project status: > > - honeybadger seems mostly useable for use in the wild, though we are > pretty sure that bugs exist and probably some false positive bugs at that. > > - active development halted several months ago when the implementation > seemed good enough to deploy and sniff packets in the wild. > > - if in the future the gopacket dev team releases a new "sufficient" TCP > reassembly API then I could severely reduce HoneyBadger's code size. > > - pull requests and github issue comments will inspire me to contribute > feature additions and fixes > > > > It runs on Linux but does honeybadger work on *BSD? > > Of course it does... I wrote the gopacket BSD BPF sniffer API ;-p > and tested honeybadger on NetBSD, FreeBSD and OpenBSD. > > > I'd like to explore the possibility of writing a similar TCP injection > attack detector in rust using libpnet as soon as libpnet is sufficiently > mature to use for TCP analysis: > > https://github.com/libpnet/libpnet > > > > So what? > > 1. So... all TCP analyzers need to be rewritten to account for TCP > injection attacks, otherwise you are doing it wrong. > > 2. So feel free to use HoneyBadger to analyze your own traffic over the > wire or sketchy pcap files that you acquire; perhaps our data collection > efforts will result in responsible disclosure of 0-days... and publicly > reporting that in fact these TCP injection attacks do happen as targeted > attacks against real people to violate their human rights. > > 3. So use my design in your software; The description of how to detect the > 5 possible TCP injection attacks can serve as a part of a design document > for other software projects to implement their own TCP injection attack > detection. > > > > cheers from the Internet, > > David Stainton > >
_______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
