Dear Edward Snowden, OPNsense users, TCP abolitionists and Cypherpunks,
Comprehensive Quantum Insert detection is coming to OPNsense!
I'd like to let you all know about HoneyBadger a passive TCP protocol analyzer I wrote to detect TCP injection attacks.
These so called "Quantum Insert" attacks are used to deliver 0-day payloads so that various oppressive political entities world wide can use it for targeted surveillance of real people to violate their human rights.
https://github.com/david415/HoneyBadger
https://honeybadger.readthedocs.org/
There are some other tools that also detect *some* of these Quantum Insert attacks, but I think you might be interested
in using HoneyBadger instead of those other tools because :
- HoneyBadger is written in golang because langsec; language security is an important consideration and I'd like to point out
the IDS software written in C has had a long history of remote code execution vulnerability.
- HoneyBadger is comprehensive; I've classified TCP injection attacks into 5 categories:
1. handshake hijack
2. segment veto
3. sloppy injection
4. ordered coalesce
5. censorship injection (FIN/RST injection)
Soon I will be publishing a blog post about these attacks and detection. HoneyBadger can currently detect types 1 - 4; though we do have an experimental dev branch that can detect type 5 censorship injection.
Currently, HoneyBadger isn't super user-friendly; it's a tool for hackers and power-users, however I think there's lots of potential for developing a simple web UI for OPNsense users. Basically what I have in mind is two dynamic web pages:
1. a honeybadger configuration page
2. a logs and attack reporting page
Here's a funny blog post that was recently brought to my attention; it's written by someone who intentionally Quantum Inserted all his website visitors to see if anyone actually noticed :
http://www.tedunangst.com/flak/post/on-the-detection-of-quantum-insert
This begs the question;
Does anyone actually care to know if their Internet traffic has been attacked by Quantum Inserts?
Cheers from Berlin,
David Stainton
Hi David,
Thanks for bringing this to our attention and Shawn adding a FreeBSD port so quickly. Tomorrow's 16.1.4 will have the package ready for manual installation and general tinkering.
We invite everyone interested to try it. To install, simply run:
# pkg install honeybadger
And then follow David's docs for command line operation. Looking forward to your feedback. :)
https://honeybadger.readthedocs.org/en/latest/#deployment-on-hardenedbsd-example
Cheers,
Franco
It would be good to be able to use it in parallel with Suricata in IPS mode which uses netmap and turns off the interface's promiscuous mode