func (i *Dispatcher) setupNewConnection(flow *types.TcpIpFlow) ConnectionInterface {
options := ConnectionOptions{
MaxBufferedPagesTotal: i.options.BufferedTotal,
MaxBufferedPagesPerConnection: i.options.BufferedPerConnection,
MaxRingPackets: i.options.MaxRingPackets,
PageCache: i.pageCache,
LogDir: i.options.LogDir,
AttackLogger: i.options.Logger,
LogPackets: i.options.LogPackets,
DetectHijack: i.options.DetectHijack,
DetectInjection: i.options.DetectInjection,
DetectCoalesceInjection: i.options.DetectCoalesceInjection,
Pool: &i.pool,
}
conn := i.connectionFactory.Build(options)
if i.options.LogPackets {
packetLogger := i.PacketLoggerFactory.Build(flow)
conn.SetPacketLogger(packetLogger)
packetLogger.Start()
}
i.pool[flow.ConnectionHash()] = conn
if i.observeConnectionCount != 0 && i.observeConnectionCount == len(i.connections()) {
i.observeConnectionChan <- true
}
return conn
}
// detectInjection write an attack report if the given packet indicates a TCP injection attack
// such as segment veto.
func (c *Connection) detectInjection(p *types.PacketManifest, flow *types.TcpIpFlow) {
var ringPtr *types.Ring
if flow.Equal(c.clientFlow) {
ringPtr = c.ServerStreamRing
} else {
ringPtr = c.ClientStreamRing
}
event := injectionInStreamRing(p, flow, ringPtr, "ordered injection", c.packetCount)
if event != nil {
c.AttackLogger.Log(event)
c.attackDetected = true
log.Printf("packet # %d\n", c.packetCount)
} else {
log.Print("not an attack attempt; a normal TCP retransmission.\n")
}
}
// detectHijack checks for duplicate SYN/ACK indicating handshake hijake
// and submits a report if an attack was observed
func (c *Connection) detectHijack(p *types.PacketManifest, flow *types.TcpIpFlow) {
// check for duplicate SYN/ACK indicating handshake hijake
if !flow.Equal(c.serverFlow) {
return
}
if p.TCP.ACK && p.TCP.SYN {
if types.Sequence(p.TCP.Ack).Difference(c.hijackNextAck) == 0 {
if p.TCP.Seq != c.firstSynAckSeq {
log.Print("handshake hijack detected\n")
c.AttackLogger.Log(&types.Event{
Time: time.Now(),
Type: "handshake-hijack",
PacketCount: c.packetCount,
Flow: flow,
HijackSeq: p.TCP.Seq,
HijackAck: p.TCP.Ack})
c.attackDetected = true
} else {
log.Print("SYN/ACK retransmission\n")
}
}
}
}