Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: Quantum Insert Attack - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quantum Insert Attack

The Dutch company Fox-IT has revealed a detailed information about Quantum Insert Attack. "‘HTML Redirection’ attack by injecting malicious content into a specific TCP session. A session is selected for injection based on ‘selectors’, such as a persistent tracking cookie that identifies a user for a longer period of time."

The attack can be done by sniffing an HTTP request then the attacker will spoofed a crafted HTTP response. In order to craft a spoofed HTTP response the attacker should know the following:

  • Source and Destination IP address
  • Source and Destination TCP port
  • Sequence and Acknowledgment Number

Once the packet is spoofed a race condition will occur, if the attacker win the race then he/she would response to the victim with malicious content instead of the legitimate one.

Performing Quantum Insert attack require that the attacker can monitor the traffic and have very fast infrastructure to win the race condition.

To detect Quantum Insert we should look for the following:

  1. Duplicate Sequence number with two different payloads, since the attacker will spoof the response ,the victim will have two packets with same sequence number but with different payload.
  2. TTL anomalies ,the spoofed packets would show a different time to live value than the real packets . TTL different might be legit due to the nature of internet traffic but since the attacker will be closer to the target to win the race condition that might give unusual different in the ttl between the legitimate packets and the spoofed one.

==========================================

http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/

 

Basil

56 Posts
ISC Handler
Hmmm, might that be related ;)

Surveillance system used for censorship in Europe - Censorship attack combines packet injection and Heartbleed
http://seclists.org/fulldisclosure/2015/Apr/83
Basil
1 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!