Open david415 opened 9 years ago
With regards to TCP injection attacks there are two main categories:
Perhaps we can write some fairly simple rules to detect handshake hijack attacks... I've got some working golang reference code to do this right now AND this is easy anyhow.
With regards to detecting category 2 attacks there are 3 sub categories:
Perhaps with a simple ruleset attack 1 (segment veto) attacks can be detected. Merely detecting a duplicate Sequence number and then comparing TCP segments will work.
However, I highly doubt that "simple rules" will be able to detect attacks 2 and 3... Each incoming packet payload must be matched with an overlapping section of the reassembled TCP stream... the overlapping portion of the stream is compared; if difference then it's an injection attack. If they are equal then it's a normal TCP retransmission.
I am curious... could haka security's lua interpreter be used to implement full TCP injection attack detection? I am interested in comprehensive coverage here... because I'd like to collect statistics on which types of TCP attacks occur most often... and how are they implemented... and many other pieces of metadata about the attacks.
I've tried to write clearer definitions for each possible TCP injection attack here:
You might be interested to try some pcap files which are known to have TCP injection attacks: https://github.com/david415/honeybadger-pcap-files
HoneyBadger now uses these are it's pcap driven integration test...
You absolutely must ship some sort of mechanism to detect TCP injection attacks. You should try to have feature parity with HoneyBadger (which is a working POC but still not ready for production) https://honeybadger.readthedocs.org/ https://github.com/david415/HoneyBadger
Of course to have comprehensive TCP injection attack detection you must detect all 3 or 4 broader categories of attack:
There's more: such as sloppy injection that gradually brings client and server back into sequence synchronization.
I would really like to help you implement this feature.