The Dutch company Fox-IT has revealed a detailed information about Quantum Insert Attack. HTML Redirection attack by injecting malicious content into a specific TCP session. A session is selected for injection based on selectors, such as a persistent tracking cookie that identifies a user for a longer period of time.
The attack can be done by sniffing an HTTP request then the attacker will spoofed a crafted HTTP response. In order to craft a spoofed HTTP response the attacker should know the following:
- Source and Destination IP address
- Source and Destination TCP port
- Sequence and Acknowledgment Number
Once the packet is spoofed a race condition will occur, if the attacker win the race then he/she would response to the victim with malicious content instead of the legitimate one.
Performing Quantum Insert attack require that the attacker can monitor the traffic and have very fast infrastructure to win the race condition.
To detect Quantum Insert we should look for the following:
- Duplicate Sequence number with two different payloads, since the attacker will spoof the response ,the victim will have two packets with same sequence number but with different payload.
- TTL anomalies ,the spoofed packets would show a different time to live value than the real packets . TTL different might be legit due to the nature of internet traffic but since the attacker will be closer to the target to win the race condition that might give unusual different in the ttl between the legitimate packets and the spoofed one.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.