OPNsense Forum

English Forums => General Discussion => Topic started by: honeybadger on February 23, 2016, 12:06:52 pm

Title: Announcing: Quantum Insert detection for OPNsense via HoneyBadger
Post by: honeybadger on February 23, 2016, 12:06:52 pm
Dear Edward Snowden, OPNsense users, TCP abolitionists and Cypherpunks,

Comprehensive Quantum Insert detection is coming to OPNsense!

I'd like to let you all know about HoneyBadger a passive TCP protocol analyzer I wrote to detect TCP injection attacks.
These so called "Quantum Insert" attacks are used to deliver 0-day payloads so that various oppressive political entities world wide can use it for targeted surveillance of real people to violate their human rights.

https://github.com/david415/HoneyBadger
https://honeybadger.readthedocs.org/

There are some other tools that also detect *some* of these Quantum Insert attacks, but I think you might be interested
in using HoneyBadger instead of those other tools because :

- HoneyBadger is written in golang because langsec; language security is an important consideration and I'd like to point out
the IDS software written in C has had a long history of remote code execution vulnerability.

- HoneyBadger is comprehensive; I've classified TCP injection attacks into 5 categories:

1. handshake hijack
2. segment veto
3. sloppy injection
4. ordered coalesce
5. censorship injection (FIN/RST injection)

Soon I will be publishing a blog post about these attacks and detection. HoneyBadger can currently detect types 1 - 4; though we do have an experimental dev branch that can detect type 5 censorship injection.

Currently, HoneyBadger isn't super user-friendly; it's a tool for hackers and power-users, however I think there's lots of potential for developing a simple web UI for OPNsense users. Basically what I have in mind is two dynamic web pages:

1. a honeybadger configuration page
2. a logs and attack reporting page

Here's a funny blog post that was recently brought to my attention; it's written by someone who intentionally Quantum Inserted all his website visitors to see if anyone actually noticed :

http://www.tedunangst.com/flak/post/on-the-detection-of-quantum-insert


This begs the question;
Does anyone actually care to know if their Internet traffic has been attacked by Quantum Inserts?


Cheers from Berlin,
David Stainton
Title: Re: Announcing: Quantum Insert detection for OPNsense via HoneyBadger
Post by: franco on February 23, 2016, 10:13:59 pm
Hi David,

Thanks for bringing this to our attention and Shawn adding a FreeBSD port so quickly. Tomorrow's 16.1.4 will have the package ready for manual installation and general tinkering.

We invite everyone interested to try it. To install, simply run:

# pkg install honeybadger

And then follow David's docs for command line operation. Looking forward to your feedback. :)

https://honeybadger.readthedocs.org/en/latest/#deployment-on-hardenedbsd-example


Cheers,
Franco
Title: Re: Announcing: Quantum Insert detection for OPNsense via HoneyBadger
Post by: interfaSys on February 25, 2016, 12:07:50 am
It would be good to be able to use it in parallel with Suricata in IPS mode which uses netmap and turns off the interface's promiscuous mode