From owner-freebsd-security@FreeBSD.ORG Mon Apr 27 18:46:43 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADE7B32D for ; Mon, 27 Apr 2015 18:46:43 +0000 (UTC) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 98FD61BC2 for ; Mon, 27 Apr 2015 18:46:43 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 69ADE3ADE4 for ; Mon, 27 Apr 2015 11:37:22 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Logging TCP anomalies Date: Mon, 27 Apr 2015 11:37:22 -0700 Message-ID: <43372.1430159842@server1.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Apr 2015 18:46:43 -0000 I just now read the following TheRegister news article about detection of "Quantum Insert" funny business: http://www.theregister.co.uk/2015/04/23/detecting_nsa_style_hacking_tool_unsheathed/ I am prompted to ask here whether or not FreeBSD performs any sort of logging of instances when "duplicate TCP packets but with different payloads" occurs, and/or whether FreeBSD provides any options which, for example, might automagically trigger a close of the relevant TCP connection when and if such an event is detected. (Connection close seems to me to be one possible mitigation strategy, even if it might be viewed as rather ham-fisted by some.)