[tor-relays] ANN: TCP injection attack detection tool - honeybadger

OM Healing 100porcientosa at gmail.com
Mon Dec 7 17:31:37 UTC 2015


Thank you.

On Monday, December 7, 2015, David Stainton <dstainton415 at gmail.com> wrote:

>
> Dear Golang community, Edward Snowden, cypherpunks, Tor-relay operators,
> low-level network hackers and TCP abolitionists,
>
>
> I was inspired by the Snowden documents to write a TCP injection attack
> detection tool. Powerful entities world wide are stock piling zero-days.
> TCP injection attacks can be used to deliver many of these attacks.
>
> source:
> https://github.com/david415/HoneyBadger
>
> docs:
> https://honeybadger.readthedocs.org/en/latest/
>
> tasty pcap for "integration testing":
> https://github.com/david415/honeybadger-pcap-files
>
>
> HoneyBadger does bidirectional TCP stream reassembly... temporarily
> storing segments in ring buffer for comparison to later received
> overlapping stream segments. In other words it doesn't rely on simply
> matching duplicate sequence numbers but compares the actual overlapping
> stream segment contents. This more thorough approach is needed to account
> for TCP's retransmission which can send various segments sizes that can
> differ from the original dropped segment length. Furthermore we also detect
> the other injection types such as handshake hijack.
>
> The literature (go ahead and scour the Internet) does NOT mention all of
> the TCP injection attacks that are possible. I assert that there are 5
> possible types of TCP injection attack. I describe them here:
>
>
> https://github.com/david415/HoneyBadger_docs/blob/hackpad1/source/how-to-detect-TCP-injection-attacks.rst
>
>
> https://github.com/david415/HoneyBadger_docs/blob/hackpad1/source/how-to-detect-TCP-injection-attacks.rst#tcp-injection-attack-categories
>
>
> current honeybadger project status:
>
> - honeybadger seems mostly useable for use in the wild, though we are
> pretty sure that bugs exist and probably some false positive bugs at that.
>
> - active development halted several months ago when the implementation
> seemed good enough to deploy and sniff packets in the wild.
>
> - if in the future the gopacket dev team releases a new "sufficient" TCP
> reassembly API then I could severely reduce HoneyBadger's code size.
>
> - pull requests and github issue comments will inspire me to contribute
> feature additions and fixes
>
>
>
> It runs on Linux but does honeybadger work on *BSD?
>
> Of course it does... I wrote the gopacket BSD BPF sniffer API ;-p
> and tested honeybadger on NetBSD, FreeBSD and OpenBSD.
>
>
> I'd like to explore the possibility of writing a similar TCP injection
> attack detector in rust using libpnet as soon as libpnet is sufficiently
> mature to use for TCP analysis:
>
> https://github.com/libpnet/libpnet
>
>
>
> So what?
>
> 1. So... all TCP analyzers need to be rewritten to account for TCP
> injection attacks, otherwise you are doing it wrong.
>
> 2. So feel free to use HoneyBadger to analyze your own traffic over the
> wire or sketchy pcap files that you acquire; perhaps our data collection
> efforts will result in responsible disclosure of 0-days... and publicly
> reporting that in fact these TCP injection attacks do happen as targeted
> attacks against real people to violate their human rights.
>
> 3. So use my design in your software; The description of how to detect the
> 5 possible TCP injection attacks can serve as a part of a design document
> for other software projects to implement their own TCP injection attack
> detection.
>
>
>
> cheers from the Internet,
>
> David Stainton
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151207/64a90ff5/attachment.html>


More information about the tor-relays mailing list