Published on June 8th, 2015 📆 | 4437 Views ⚑0
TCP attack inquisitor: HoneyBadger
HoneyBadger is a comprehensive TCP stream analysis tool for detecting and recording TCP attacks. HoneyBadger includes a variety of TCP stream injections attacks which will prove that the TCP attack detection is reliable. HoneyBadger is modern software written in Golang to deal with TCP’s very old security issues. It is free software, using the GPLv3 and the source code is available on github.
TCP attack inquisitor and 0-day catcher.
- HoneyBadger is primarily a comprehensive TCP stream analysis tool for detecting and recording TCP attacks.
- HoneyBadger is modern software written in Golang to deal with TCP’s very old injection vulnerabilities.
- HoneyBadger includes a variety of TCP stream injection attacks written in golang. (2 so far)
- Free as in GPLv3 (except for small sections of Google’s BSD licensed code) and the source code is available on github:
It is not a good idea to run network traffic analysis tools as root. In Linux you can run these tools as an unprivileged user after you run setcap as root like this:
# setcap cap_net_raw,cap_net_admin=eip honey_badger
Before building and installing honeybadger you should install a modern version of golang from source:
cd $HOME git clone https://go.googlesource.com/go cd go git checkout go1.4.2 cd src ./make.bash
Setup the golang environment variables:
export GOPATH=$HOME/go/gopath export PATH=$PATH:$HOME/go/bin:$HOME/go/gopath/bin
Then after that you can build honeybadger and it’s dependencies like this:
cd $HOME/go mkdir -p gopath/src/github.com/google cd gopath/src/github.com/google git clone https://github.com/google/gopacket.git mkdir -p $HOME/go/gopath/src/github.com/david415 cd $HOME/go/gopath/src/github.com/david415 git clone https://github.com/david415/HoneyBadger.git cd HoneyBadger/cmd/honeyBadger go build
Disable the various segmentation offloading options on the network device(s) you will be sniffing:
ethtool -K eth0 gso off ethtool -K eth0 tso off ethtool -K eth0 gro off
Simple Tor exit relay deployment
Linux users should run honeyBadger as an unprivileged user. First run setcap as root like so:
setcap cap_net_raw,cap_net_admin=eip honeyBadger
Create RAM backed filesystem for your honeyBadger log directory. if you use Linux then you chose between ramfs and tmpfs. It is recommend turning swap off and using tmpfs… this way you can limit the size of the log directory.
Here in these two following usage examples we use a berkeley-packet-filter to allow only capturing traffic destined to port 80… where we are far more likely to catch TCP injection attacks in the wild. You could instead scan all traffic on the interface by setting the BPF to “tcp”.
Here’s an example running honeyBadger for a Tor exit relay with full-take logging:
./honeyBadger -l="logs" -connection_max_buffer=100 -f="tcp port 80" -i=eth0 -metadata_attack_log=false -tcp_idle_timeout=14m0s -total_max_buffer=1000 -max_concurrent_connections=200 -log_packets=true
Alternatively, this would record only TCP injection attack metadata (includes IP addresses and TCP port numbers but not packet payloads):
./honeyBadger -l="logs" -connection_max_buffer=100 -f="tcp port 80" -i=eth0 -metadata_attack_log=true -tcp_idle_timeout=14m0s -total_max_buffer=1000 -max_concurrent_connections=200 -log_packets=false
HoneyBadger CLI Arguments and Usage
$ ./honeyBadger --help Usage of ./honeyBadger: -connection_max_buffer=0: Max packets to buffer for a single connection before skipping over a gap in data and continuing to stream the connection after the buffer. If zero or less, this is infinite. -detect_coalesce_injection=true: Detect coalesce injection attacks -detect_hijack=true: Detect handshake hijack attacks -detect_injection=true: Detect injection attacks -f="tcp": BPF filter for pcap -i="eth0": Interface to get packets from -l="honeyBadger-logs": log directory -log_packets=false: if set to true then log all packets for each tracked TCP connection -max_concurrent_connections=0: Maximum number of concurrent connection to track. -max_ring_packets=40: Max packets per connection stream ring buffer -metadata_attack_log=true: if set to true then attack reports will only include metadata -s=65536: SnapLen for pcap packet capture -tcp_idle_timeout=5m0s: tcp idle timeout duration -total_max_buffer=0: Max packets to buffer total before skipping over gaps in connections and continuing to stream connection data. If zero or less, this is infinite -w="3s": timeout for reading packets off the wire
- packet capture options: Options ‘-f’ and ‘-i’ are used to determine which packets to pay attention to. Currently honeybadger only supports sniffing one network interface. If libpcap support is discontinued, the ‘-f’ filter argument would go away. ‘-w’ and ‘-s’ are relevant here, you probably want to use the default options.
- logging options: you must specify a logging directory using ‘-l’. pcap logging is off by default. If you set -log_packets= to true then honeybadger will write one pcap file per connection. Upon connection close honeybadger will delete the pcap logfile unless a TCP attack was detected. warning: this will cause lots of filesystem churn when sniffing high traffic interfaces. If you are using Linux turning swap off is recommended. Use a reasonably sized tmpfs for the logs directory. By default honeybadger write metadata-only logs which will NOT contain any packet payload data but will have various sensitive information about attack attempts such as: source and destination IP addresses and TCP ports, the type of TCP injection attack (there are several), time of the attack, TCP Sequence number boundaries of the injection. If you set -metadata_attack_log=false then honeybadger will log the attack packet payload AND the stream overlap.
- resource boundary options: ‘-connection_max_buffer’ and ‘-total_max_buffer’ are used to limit the amount of page-cache pages that honeybadger can use for storing and reordering out-of-order-packets (much like TCP’s mbuf datastructure). ‘-tcp_idle_timeout’ is important as a stop-gap measure to prevent us from tracking connections that may have been closed without our knowing. ‘-max_ring_packets’ is very important to set appropriately; it determines the size of the TCP reassembly ring buffer. This ring buffer is utilized for the retrospective analysis that allows us to determine if a given packet overlaps with previously reassembled stream segments. It is estimated that this ring buffer should be set to a size that is roughly equivalent to the TCP window size of the connection…usually set to 40 and it works OK.
How does HoneyBadger work?
HoneyBadger passively reads packets off a network interface or a pcap file and if detection is triggered writes TCP attack reports, pcap packet log files and reasembled TCP streams. Here’s a data flow diagram