[Oisf-users] Fwd: UC Study highlights major cybersecurity threat

Cooper F. Nelson cnelson at ucsd.edu
Thu Aug 18 00:53:31 UTC 2016

Copied message from the emerging-sigs list re: using suricata to detect
out-of-band attacks against the Linux TCP stack.

As an aside, this caused me to revisit my process for detecting SYN
floods.  Does anyone know if its possible to extract information re: SYN
packet rates and/or flow timeouts from the stream engine?


-------- Original Message --------
Subject: UC Study highlights major cybersecurity threat
Date: Wed, 17 Aug 2016 17:47:54 -0700
From: Cooper F. Nelson <cnelson at ucsd.edu>
To: Emerging Sigs <emerging-sigs at emergingthreats.net>

UC researchers have discovered a security vulnerability present in the
TCP implementation of modern Linux kernels (3.6 and higher).  Details
linked below:

> http://www.universityofcalifornia.edu/news/study-highlights-major-cybersecurity-threat

This is a timed side-channel attack that can be used to passively
extract information from an established client/server TCP session.

After reading the paper I put together two simple suricata signatures
based on existing behavioral analysis signatures that should detect this
(still needs to be tested, though).  One using the 'flags' keyword and
another using the stream tracker (which will probably be more efficient).

> alert tcp any any -> any any (msg:"LOCAL RST flood, possible timed side channel attack"; flags:R; threshold: type both, track by_dst, count 50, seconds 1; classtype:misc-activity; sid:9;)
> alert tcp any any -> any any (msg:"SURICATA STREAM RST flood, possible timed side-channel attack"; threshold: type both, track by_src, count 50, seconds 1; stream-event:rst_invalid_ack; sid:2210050; rev:1;)

A word of warning, the first signature has a fairly high CPU overhead as
every TCP packet is being evaluated.

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160817/f8171f13/attachment.sig>

More information about the Oisf-users mailing list