Beispiel #1
0
// detectInjection write an attack report if the given packet indicates a TCP injection attack
// such as segment veto.
func (c *Connection) detectInjection(p *types.PacketManifest, flow *types.TcpIpFlow) {
	var ringPtr *types.Ring
	if flow.Equal(c.clientFlow) {
		ringPtr = c.ServerStreamRing
	} else {
		ringPtr = c.ClientStreamRing
	}
	event := injectionInStreamRing(p, flow, ringPtr, "ordered injection", c.packetCount)
	if event != nil {
		c.AttackLogger.Log(event)
		c.attackDetected = true
		log.Printf("packet # %d\n", c.packetCount)
	} else {
		log.Print("not an attack attempt; a normal TCP retransmission.\n")
	}
}
Beispiel #2
0
// detectHijack checks for duplicate SYN/ACK indicating handshake hijake
// and submits a report if an attack was observed
func (c *Connection) detectHijack(p *types.PacketManifest, flow *types.TcpIpFlow) {
	// check for duplicate SYN/ACK indicating handshake hijake
	if !flow.Equal(c.serverFlow) {
		return
	}
	if p.TCP.ACK && p.TCP.SYN {
		if types.Sequence(p.TCP.Ack).Difference(c.hijackNextAck) == 0 {
			if p.TCP.Seq != c.firstSynAckSeq {
				log.Print("handshake hijack detected\n")
				c.AttackLogger.Log(&types.Event{
					Time:        time.Now(),
					Type:        "handshake-hijack",
					PacketCount: c.packetCount,
					Flow:        flow,
					HijackSeq:   p.TCP.Seq,
					HijackAck:   p.TCP.Ack})
				c.attackDetected = true
			} else {
				log.Print("SYN/ACK retransmission\n")
			}
		}
	}
}