[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-security
Subject:    Re: NSA software in Debian
From:       Jeremie Marguerie <jeremie () marguerie ! org>
Date:       2014-01-28 23:37:26
Message-ID: CAKS89GrGYLnLdsoshPE9McXgdVA-tyQRuOrgpDxYY3=a8-MgDg () mail ! gmail ! com
[Download RAW message or body]

On Tue, Jan 28, 2014 at 2:08 PM, Hans-Christoph Steiner <hans@at.or.at> wrote:
> I think the MITM attacks that the NSA does on the core internet routers are
> likely based on IP rather than DNS.  The reports talk about the system is
> setup to respond before any of the real servers can.  So my guess is that they
> are replying to ARPs, thereby claiming an IP.  Just a guess...

If you're speaking about quantum insert, the NSA isn't stealing IPs,it
doesn't need to as the network allow pretty much anyone to forge a
packet with any non-RFC-1918 IP.

What I understood was that the NSA is able to analyze requests coming
from some users in realtime and reply with a spoof responses. You can
do it in several ways like hijacking the tcp connection to control the
stream from end-to-end but I guess this is too costly. You could get
only the packet that contain the GET request (for HTTP request) and
reply faster than the server with another response. You know all the
parameter of the tcp/ip connection so it's easy to hijack a couple of
unencrypted packets.

The success rate a not 100% because you need to beat the real server
and send your response faster. Do so will cause the real server to be
confused by the ACK the client sends, I'm not sure how the TCP stack
will react. It might react differently depending on the OS/kernel too.

See:
http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html


-- 
Jérémie MARGUERIE


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAKS89GrGYLnLdsoshPE9McXgdVA-tyQRuOrgpDxYY3¨-MgDg@mail.gmail.com



[prev in list] [next in list] [prev in thread] [next in thread]