Date: Tue, 28 Apr 2015 06:20:46 -0700 From: Kurt Buff <kurt.buff@gmail.com> To: freebsd-security@freebsd.org Subject: Re: Logging TCP anomalies Message-ID: <CADy1Ce5RE-J7OmU-V2LtRR2S9EZ1ibd00F3w95WhreOub5E-5A@mail.gmail.com> In-Reply-To: <43372.1430159842@server1.tristatelogic.com> References: <43372.1430159842@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Snort (and brethren) at the perimeter seem like a reasonable approach. http://seclists.org/snort/2015/q2/114 But, more likely to succeed will be SSL everywhere, and certificate pinning, since this is primarily a web-based attack: http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/ Kurt On Mon, Apr 27, 2015 at 11:37 AM, Ronald F. Guilmette <rfg@tristatelogic.com > wrote: > > I just now read the following TheRegister news article about detection > of "Quantum Insert" funny business: > > > http://www.theregister.co.uk/2015/04/23/detecting_nsa_style_hacking_tool_unsheathed/ > > I am prompted to ask here whether or not FreeBSD performs any sort of > logging of instances when "duplicate TCP packets but with different > payloads" occurs, and/or whether FreeBSD provides any options which, > for example, might automagically trigger a close of the relevant TCP > connection when and if such an event is detected. (Connection close > seems to me to be one possible mitigation strategy, even if it might > be viewed as rather ham-fisted by some.) > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce5RE-J7OmU-V2LtRR2S9EZ1ibd00F3w95WhreOub5E-5A>