[tor-relays] ANN: TCP injection attack detection tool - honeybadger
David Stainton
dstainton415 at gmail.com
Mon Dec 7 17:17:50 UTC 2015
Dear Golang community, Edward Snowden, cypherpunks, Tor-relay operators, low-level network hackers and TCP abolitionists,
I was inspired by the Snowden documents to write a TCP injection attack detection tool. Powerful entities world wide are stock piling zero-days. TCP injection attacks can be used to deliver many of these attacks.
source:
https://github.com/david415/HoneyBadger
docs:
https://honeybadger.readthedocs.org/en/latest/
tasty pcap for "integration testing":
https://github.com/david415/honeybadger-pcap-files
HoneyBadger does bidirectional TCP stream reassembly... temporarily storing segments in ring buffer for comparison to later received overlapping stream segments. In other words it doesn't rely on simply matching duplicate sequence numbers but compares the actual overlapping stream segment contents. This more thorough approach is needed to account for TCP's retransmission which can send various segments sizes that can differ from the original dropped segment length. Furthermore we also detect the other injection types such as handshake hijack.
The literature (go ahead and scour the Internet) does NOT mention all of the TCP injection attacks that are possible. I assert that there are 5 possible types of TCP injection attack. I describe them here:
https://github.com/david415/HoneyBadger_docs/blob/hackpad1/source/how-to-detect-TCP-injection-attacks.rst
https://github.com/david415/HoneyBadger_docs/blob/hackpad1/source/how-to-detect-TCP-injection-attacks.rst#tcp-injection-attack-categories
current honeybadger project status:
- honeybadger seems mostly useable for use in the wild, though we are pretty sure that bugs exist and probably some false positive bugs at that.
- active development halted several months ago when the implementation seemed good enough to deploy and sniff packets in the wild.
- if in the future the gopacket dev team releases a new "sufficient" TCP reassembly API then I could severely reduce HoneyBadger's code size.
- pull requests and github issue comments will inspire me to contribute feature additions and fixes
It runs on Linux but does honeybadger work on *BSD?
Of course it does... I wrote the gopacket BSD BPF sniffer API ;-p
and tested honeybadger on NetBSD, FreeBSD and OpenBSD.
I'd like to explore the possibility of writing a similar TCP injection attack detector in rust using libpnet as soon as libpnet is sufficiently mature to use for TCP analysis:
https://github.com/libpnet/libpnet
So what?
1. So... all TCP analyzers need to be rewritten to account for TCP injection attacks, otherwise you are doing it wrong.
2. So feel free to use HoneyBadger to analyze your own traffic over the wire or sketchy pcap files that you acquire; perhaps our data collection efforts will result in responsible disclosure of 0-days... and publicly reporting that in fact these TCP injection attacks do happen as targeted attacks against real people to violate their human rights.
3. So use my design in your software; The description of how to detect the 5 possible TCP injection attacks can serve as a part of a design document for other software projects to implement their own TCP injection attack detection.
cheers from the Internet,
David Stainton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151207/06ed85fa/attachment.sig>
More information about the tor-relays
mailing list