Detect "quantum insert" type of attacks

Description

Add detection for "quantum insert" type of attacks. Since the leaked information is classified, I will try to explain in unclassified form what it is about.

The idea is that you have a passive adversary that sniff your TCP sequence numbers and inject its malicious payload faster than the real server.

One of the leaked documents mentions as an alerting mechanism to detect duplicate TCP sequence numbers from same source, where at least 10% of the beginning of the content of the two packets differs.

Environment

None

Activity

Show:
Seth Hall
September 4, 2015, 12:41 PM

This is already merged into master and is usable from there and will be a standard feature of 2.5.

YunH
April 29, 2015, 10:59 AM
YunH
April 22, 2015, 9:41 PM

We made a proof of concept Bro policy to detect QI here:
https://github.com/fox-it/quantuminsert/tree/master/detection/bro

It would be nice if the rexmit_inconsistency event could do this though.

Jon Siwek
February 9, 2015, 3:29 PM

Handling the "rexmit_inconsistency" event and comparing the mismatched content might be a way to do what you want.

https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html?highlight=rexmit_inconsistency#id-rexmit_inconsistency

Fixed

Assignee

Unassigned

Reporter

David André

Labels

None

External issue ID

None

Components

Priority

Normal