From owner-freebsd-security@FreeBSD.ORG Tue Apr 28 13:20:47 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6D334E7 for ; Tue, 28 Apr 2015 13:20:47 +0000 (UTC) Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 636B01CE5 for ; Tue, 28 Apr 2015 13:20:47 +0000 (UTC) Received: by qku63 with SMTP id 63so79417583qku.3 for ; Tue, 28 Apr 2015 06:20:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=AIkldWQu0StcD1EXQ5HuHLZxQf7aVa57ETngdhGXOFs=; b=KHa8d8iDqzJOgbjzQvrwGZz1rUFAbDVBrJw96Wo1IILuOCVEEuaqV5gyLpmGKWE7Ym Vaos/EqFxJ3t/j3hpt6j/dBaY7Nfr02tuu/GdYxnpTrlPm3A+ThsmkXJb3v92bUrwrjK w1mwY+gw/3LagTaplD/NiqXPiTZQ38Vfwo8b2eaZ6n/T1abp7Q04JYz/TJ3Oylk2rWDy /+BOODKmPPcIJhgm0VnkMkMb1LSxBkD7n98Q/uz9nKZ/su60uWSteixgqVBVwX21mD+H CoQXVb9/ZU7x4jy7kHTcwpzLzlyhhGUnkEn/LQ3dYavDR/Hlb+HX72FqKMgGmhHyTcUY pMkA== MIME-Version: 1.0 X-Received: by 10.140.36.137 with SMTP id p9mr11622550qgp.16.1430227246574; Tue, 28 Apr 2015 06:20:46 -0700 (PDT) Received: by 10.96.164.168 with HTTP; Tue, 28 Apr 2015 06:20:46 -0700 (PDT) In-Reply-To: <43372.1430159842@server1.tristatelogic.com> References: <43372.1430159842@server1.tristatelogic.com> Date: Tue, 28 Apr 2015 06:20:46 -0700 Message-ID: Subject: Re: Logging TCP anomalies From: Kurt Buff To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Apr 2015 13:20:47 -0000 Snort (and brethren) at the perimeter seem like a reasonable approach. http://seclists.org/snort/2015/q2/114 But, more likely to succeed will be SSL everywhere, and certificate pinning, since this is primarily a web-based attack: http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/ Kurt On Mon, Apr 27, 2015 at 11:37 AM, Ronald F. Guilmette wrote: > > I just now read the following TheRegister news article about detection > of "Quantum Insert" funny business: > > > http://www.theregister.co.uk/2015/04/23/detecting_nsa_style_hacking_tool_unsheathed/ > > I am prompted to ask here whether or not FreeBSD performs any sort of > logging of instances when "duplicate TCP packets but with different > payloads" occurs, and/or whether FreeBSD provides any options which, > for example, might automagically trigger a close of the relevant TCP > connection when and if such an event is detected. (Connection close > seems to me to be one possible mitigation strategy, even if it might > be viewed as rather ham-fisted by some.) > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >