need TCP injection attack detection

[david415]

You absolutely must ship some sort of mechanism to detect TCP injection attacks. You should try to have feature parity with HoneyBadger (which is a working POC but still not ready for production) https://honeybadger.readthedocs.org/ https://github.com/david415/HoneyBadger

Of course to have comprehensive TCP injection attack detection you must detect all 3 or 4 broader categories of attack:

1. segment veto: the injected packet(s) are the exact same size as those sent out by the legit party. Client and server remain in sync.
2. sloppy injection: the injected packet(s) are different sizes than that of the legit party. Client and server fall out of sync.
3. out-of-order coalesce injection: injected packets are ahead of the next sequence. Injection of data takes place during coalescence.
4. handshake hijack: the attacker responds to the SYN with a SYN/ACK before the legit party can do so. Detecting this is really simple.

There's more: such as sloppy injection that gradually brings client and server back into sequence synchronization.

I would really like to help you implement this feature.

[david415]

• I definitely do not need pcap files to do tests against known TCP injection attacks... namely because I have written the injection attacks; I can simply create my own pcap files anytime. See here for working reference TCP injection attack code demonstrating both TCP handshake hijack attack and post-handshake sloppy injection:
  • https://github.com/david415/HoneyBadger/blob/master/cmd/handshakeHijacker/main.go
  • https://github.com/david415/HoneyBadger/blob/master/cmd/sprayInjector/main.go

With regards to TCP injection attacks there are two main categories:

1. handshake hijack attack
2. post-handshake midstream injection attacks

Perhaps we can write some fairly simple rules to detect handshake hijack attacks... I've got some working golang reference code to do this right now AND this is easy anyhow.

With regards to detecting category 2 attacks there are 3 sub categories:

1. segment veto
2. sloppy injection
3. out-of-order future coalesce injection

Perhaps with a simple ruleset attack 1 (segment veto) attacks can be detected. Merely detecting a duplicate Sequence number and then comparing TCP segments will work.

However, I highly doubt that "simple rules" will be able to detect attacks 2 and 3... Each incoming packet payload must be matched with an overlapping section of the reassembled TCP stream... the overlapping portion of the stream is compared; if difference then it's an injection attack. If they are equal then it's a normal TCP retransmission.

I am curious... could haka security's lua interpreter be used to implement full TCP injection attack detection? I am interested in comprehensive coverage here... because I'd like to collect statistics on which types of TCP attacks occur most often... and how are they implemented... and many other pieces of metadata about the attacks.

[david415]

I've tried to write clearer definitions for each possible TCP injection attack here:

https://github.com/david415/HoneyBadger_docs/blob/hackpad1/source/how-to-badger-the-puppet-masters.rst#tcp-injection-attack-categories

You might be interested to try some pcap files which are known to have TCP injection attacks: https://github.com/david415/honeybadger-pcap-files

HoneyBadger now uses these are it's pcap driven integration test...