Threat Level: green Handler on Duty: Richard Porter

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Monday, April 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4457

Quantum Insert Attack

Published: 2015-04-26
Last Updated: 2015-04-26 17:26:49 UTC
by Basil Alawi S.Taher (Version: 1)
1 comment(s)

The Dutch company Fox-IT has revealed a detailed information about Quantum Insert Attack. "‘HTML Redirection’ attack by injecting malicious content into a specific TCP session. A session is selected for injection based on ‘selectors’, such as a persistent tracking cookie that identifies a user for a longer period of time."

The attack can be done by sniffing an HTTP request then the attacker will spoofed a crafted HTTP response. In order to craft a spoofed HTTP response the attacker should know the following:

  • Source and Destination IP address
  • Source and Destination TCP port
  • Sequence and Acknowledgment Number

Once the packet is spoofed a race condition will occur, if the attacker win the race then he/she would response to the victim with malicious content instead of the legitimate one.

Performing Quantum Insert attack require that the attacker can monitor the traffic and have very fast infrastructure to win the race condition.

To detect Quantum Insert we should look for the following:

  1. Duplicate Sequence number with two different payloads, since the attacker will spoof the response ,the victim will have two packets with same sequence number but with different payload.
  2. TTL anomalies ,the spoofed packets would show a different time to live value than the real packets . TTL different might be legit due to the nature of internet traffic but since the attacker will be closer to the target to win the race condition that might give unusual different in the ttl between the legitimate packets and the spoofed one.

==========================================

http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/

 

Keywords:
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

A Malicious Word Document Inside a PDF Document
1 day ago by DidierStevens (1 comment)

Fileless Malware
2 days ago by Basil (0 comments)

When automation does not help
3 days ago by Bojan (0 comments)

Dridex Redirecting to Malicious Dropbox Hosted File Via Google
4 days ago by Dr. J. (4 comments)

Logging Complete Requests in Apache 2.2 and 2.4
5 days ago by Dr. J. (1 comment)

Reminder: Secure Your Tomcat Admin Interface
6 days ago by Dr. J. (0 comments)

View All Diaries →

Latest Discussions

Need help with Framing and masking
created 2 days ago by Anonymous (0 replies)

Packet numbers different in various Dshield reports
created 1 week ago by Telserv (0 replies)

Disruption of Simda botnet
created 1 week ago by Brad Duncan (0 replies)

STUN traffic
created 1 week ago by Tom (2 replies)

DMZ Server dual NIC design
created 1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →