articles:segmentsmack
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
articles:segmentsmack [2018/08/24 22:54] – [Performance impact] veera | articles:segmentsmack [2018/08/24 23:18] (current) – [Tradeoff] veera | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Trisul Script to detect TCP SegmentSmack attack ====== | ====== Trisul Script to detect TCP SegmentSmack attack ====== | ||
+ | |||
+ | SegmentSmack [[https:// | ||
+ | |||
+ | We just released a [[https:// | ||
+ | |||
+ | This article talks a bit about the programming aspects of the PoC code. | ||
+ | |||
+ | ===== The script and LuaJIT ===== | ||
+ | |||
+ | The script itself is a '' | ||
+ | |||
+ | We then make use of `sweepbuf.lua` | ||
+ | |||
+ | For each flow direction we maintain a variable that contains the expected next sequence number, anything that doesnt match is treated as an out-of-order. A real reassembly engine would maintain all of the segments, but we arent interested in reassembly. Rather we just want to get a sense of whether the sequence numbers are increasing without holes. A proxy metric. | ||
+ | |||
+ | ==== Optimization ==== | ||
+ | |||
+ | The script is completely unoptimized, | ||
+ | |||
+ | - only monitor the forward direction : attacker -> target side of each flow. | ||
+ | - if you detect things are fine for say 500 segments , stop monitoring that flow. It is likely good | ||
+ | - extreme optimizations can involve using LuaJIT FFI to parse the fields instead of BitMaul. But we can tell you this rule, never underestimate LuaJIT !! So this would be a last resort. | ||
===== Performance impact ===== | ===== Performance impact ===== | ||
- | The PoC script is unoptimized | + | The PoC script is unoptimized, which breaks up EVERY TCP packet even if encrypted into its fields. You might be wondering if the Trisul LuaJIT API can handle |
+ | |||
+ | We put this code in a testbed on a Single Core-i3 @ 3.2Ghz and 170Mbps there were no packet drops. | ||
+ | |||
+ | The following is output from our diagnostic tool RAT. The system had 12 other rather big LUA APPs running, still we were able to do 180Mbps on a single i3 core. | ||
+ | |||
+ | To start rat | ||
+ | < | ||
+ | source / | ||
+ | rat.rx | ||
+ | </ | ||
{{: | {{: | ||
+ | |||
+ | |||
+ | ==== Tradeoff ==== | ||
+ | |||
+ | |||
+ | We are very pleased with the [[https:// |
articles/segmentsmack.txt · Last modified: 2018/08/24 23:18 by veera