Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

TCP Split Handshake Attack

advertisement 
TCP SPLIT HANDSHAKE ATTACK
Mehmet Burak AKGÜN
04/27/2011
Outline
• Introduction
• Attack Mechanism
• NSS LABS Test Results
2
Introduction
TCP
• Transport Layer Protocol
• Connection Oriented
• State-full
• sequence #
3
Introduction
TCP
• Reliability
ACK/NACK
• Flow Control
• Congestion Control
Slow start /Automatic Repeat Request
4
3-way Handshake
• SYN
– client initiates
– Sets sequence number to random number
• SYN/ACK
– Server generates own random number
• ACK
– Connection Established
5
Outline
• Introduction
• Method
• Test of commercial products
6
RFC 793 - TCP State Diagram
RFC 793 definition of TCP Handshake
• Section 3.3 of RFC 793 defines TCP
handshake as a 4 step process.
• Thus designed state diagram allows
receiving only SYN while in SYN_SENT
state.
7
Simultaneous Open Mode
• 4 step handshaking allows Simultaneous Open Mode
8
SPLIT SYN/ACK
5 step TCP SPLIT
• Malicious Server splits the SYN/ ACK and sends ACK only.
9
SPLIT SYN/ACK
Step two (the server's initial ACK), appears to have no effect on
establishing a new TCP session, and may optionally dropped.
10
So What Can an Attacker Accomplish with this Attack?
The attacker has reversed the logical direction of the client’s initial
connection
11
Scenario
•
Say an unpatched client in your network connects to a malicious drive-by
download web server that is not leveraging the split-handshake attack. The
malicious web site tries to get your client to execute some javascript that forces
your client to download malware. If you have gateway IPS and AV, your IPS may
detect the malicious javascript, or your AV may catch the malware. In either case,
your security scanning would block the attack.
•
However, if the malicious web server adds the TCP split-handshake connection to
the same attack, your IPS and AV systems may be confused by the direction of the
traffic, and not scan the web server’s content. Now the malicious drive-by
download would succeed, despite your gateway security protection.
CNL 2010
12
Outline
• Introduction
• Method
• Test of commercial products
13
Network Firewall Group Test Q2 2011 by NSS LABS
• Full Report $3500
• Products Tested:
Check Point Power-1 11065
Cisco ASA 5585
Fortinet Fortigate 3950
Juniper SRX 5800
Palo Alto Networks PA-4020
SonicWALL NSA E8500
• Companies are releasing firmware updates !
14
References

The TCP Split Handshake: Practical Effects on Modern Network Equipment, Macrothink Institute, Network
Protocols and Algorithms, ISSN 1943-3581, 2010, Vol. 2, No. 1
•
John, Wolfgang & Tafvelin, Sven, “Analysis of Internet Backbone Traffic and Header
Anomalies Observed”. IMC '07: Proceedings of the 7th ACM SIGCOMM conference on
Internet measurement, Pp 111-116. October 2007.

http://watchguardsecuritycenter.com/2011/04/15/what-is-the-tcp-split-handshake-attack-and-does-itaffect-me/

http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm

http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html

www.nmap.org

http://www.technicolor.com/en/hi/research-innovation/research-publications/securitynewsletters/security-newsletter-17/a-new-way-for-tcp-connection
CNL 2010
15
QUESTIONS
?
CNL 2010
16
Related documents
Midterm Exam Review
Midterm Exam Review
Q13 Why do manufacturers of network hardware and software follow
Q13 Why do manufacturers of network hardware and software follow
Chapter 2
Chapter 2
CS 433
CS 433
Shakin' Hands and Living in SYN
Shakin' Hands and Living in SYN
midterm-review
midterm-review
REFERENCE MODELS FOR COMPUTER NETWORKS
REFERENCE MODELS FOR COMPUTER NETWORKS
September 17, Lecture 3
September 17, Lecture 3
L18
L18
Wireshark Lab: TCP
Wireshark Lab: TCP
Transportation Layer (2)
Transportation Layer (2)
Transport Control Protocol Outline TCP objectives revisited TCP basics
Transport Control Protocol Outline TCP objectives revisited TCP basics
tcp.ppt
tcp.ppt
TCP for today’s Web
TCP for today’s Web
Defining Strategies to Protect Against TCP SYN Denial of Service Attacks Contents
Defining Strategies to Protect Against TCP SYN Denial of Service Attacks Contents
npch2
npch2
Table of Contents
Table of Contents
Cwnd
Cwnd
3rd Edition: Chapter 3
3rd Edition: Chapter 3
CSCI-1680 Wrap-up Lecture Rodrigo Fonseca With some material from Jen Rexford
CSCI-1680 Wrap-up Lecture Rodrigo Fonseca With some material from Jen Rexford
CSCI-1680 Wrap-up Lecture John Jannotti Material from Rodrigo Fonseca and Jen Rexford
CSCI-1680 Wrap-up Lecture John Jannotti Material from Rodrigo Fonseca and Jen Rexford
CS640: Introduction to Computer Networks Aditya Akella Lecture 14
CS640: Introduction to Computer Networks Aditya Akella Lecture 14
Download
advertisement