TCP SPLIT HANDSHAKE ATTACK Mehmet Burak AKGÜN 04/27/2011 Outline • Introduction • Attack Mechanism • NSS LABS Test Results 2 Introduction TCP • Transport Layer Protocol • Connection Oriented • State-full • sequence # 3 Introduction TCP • Reliability ACK/NACK • Flow Control • Congestion Control Slow start /Automatic Repeat Request 4 3-way Handshake • SYN – client initiates – Sets sequence number to random number • SYN/ACK – Server generates own random number • ACK – Connection Established 5 Outline • Introduction • Method • Test of commercial products 6 RFC 793 - TCP State Diagram RFC 793 definition of TCP Handshake • Section 3.3 of RFC 793 defines TCP handshake as a 4 step process. • Thus designed state diagram allows receiving only SYN while in SYN_SENT state. 7 Simultaneous Open Mode • 4 step handshaking allows Simultaneous Open Mode 8 SPLIT SYN/ACK 5 step TCP SPLIT • Malicious Server splits the SYN/ ACK and sends ACK only. 9 SPLIT SYN/ACK Step two (the server's initial ACK), appears to have no effect on establishing a new TCP session, and may optionally dropped. 10 So What Can an Attacker Accomplish with this Attack? The attacker has reversed the logical direction of the client’s initial connection 11 Scenario • Say an unpatched client in your network connects to a malicious drive-by download web server that is not leveraging the split-handshake attack. The malicious web site tries to get your client to execute some javascript that forces your client to download malware. If you have gateway IPS and AV, your IPS may detect the malicious javascript, or your AV may catch the malware. In either case, your security scanning would block the attack. • However, if the malicious web server adds the TCP split-handshake connection to the same attack, your IPS and AV systems may be confused by the direction of the traffic, and not scan the web server’s content. Now the malicious drive-by download would succeed, despite your gateway security protection. CNL 2010 12 Outline • Introduction • Method • Test of commercial products 13 Network Firewall Group Test Q2 2011 by NSS LABS • Full Report $3500 • Products Tested: Check Point Power-1 11065 Cisco ASA 5585 Fortinet Fortigate 3950 Juniper SRX 5800 Palo Alto Networks PA-4020 SonicWALL NSA E8500 • Companies are releasing firmware updates ! 14 References The TCP Split Handshake: Practical Effects on Modern Network Equipment, Macrothink Institute, Network Protocols and Algorithms, ISSN 1943-3581, 2010, Vol. 2, No. 1 • John, Wolfgang & Tafvelin, Sven, “Analysis of Internet Backbone Traffic and Header Anomalies Observed”. IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, Pp 111-116. October 2007. http://watchguardsecuritycenter.com/2011/04/15/what-is-the-tcp-split-handshake-attack-and-does-itaffect-me/ http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html www.nmap.org http://www.technicolor.com/en/hi/research-innovation/research-publications/securitynewsletters/security-newsletter-17/a-new-way-for-tcp-connection CNL 2010 15 QUESTIONS ? CNL 2010 16