TCP Split Handshake Attack

advertisement
TCP SPLIT HANDSHAKE ATTACK
Mehmet Burak AKGÜN
04/27/2011
Outline
• Introduction
• Attack Mechanism
• NSS LABS Test Results
2
Introduction
TCP
• Transport Layer Protocol
• Connection Oriented
• State-full
• sequence #
3
Introduction
TCP
• Reliability
ACK/NACK
• Flow Control
• Congestion Control
Slow start /Automatic Repeat Request
4
3-way Handshake
• SYN
– client initiates
– Sets sequence number to random number
• SYN/ACK
– Server generates own random number
• ACK
– Connection Established
5
Outline
• Introduction
• Method
• Test of commercial products
6
RFC 793 - TCP State Diagram
RFC 793 definition of TCP Handshake
• Section 3.3 of RFC 793 defines TCP
handshake as a 4 step process.
• Thus designed state diagram allows
receiving only SYN while in SYN_SENT
state.
7
Simultaneous Open Mode
• 4 step handshaking allows Simultaneous Open Mode
8
SPLIT SYN/ACK
5 step TCP SPLIT
• Malicious Server splits the SYN/ ACK and sends ACK only.
9
SPLIT SYN/ACK
Step two (the server's initial ACK), appears to have no effect on
establishing a new TCP session, and may optionally dropped.
10
So What Can an Attacker Accomplish with this Attack?
The attacker has reversed the logical direction of the client’s initial
connection
11
Scenario
•
Say an unpatched client in your network connects to a malicious drive-by
download web server that is not leveraging the split-handshake attack. The
malicious web site tries to get your client to execute some javascript that forces
your client to download malware. If you have gateway IPS and AV, your IPS may
detect the malicious javascript, or your AV may catch the malware. In either case,
your security scanning would block the attack.
•
However, if the malicious web server adds the TCP split-handshake connection to
the same attack, your IPS and AV systems may be confused by the direction of the
traffic, and not scan the web server’s content. Now the malicious drive-by
download would succeed, despite your gateway security protection.
CNL 2010
12
Outline
• Introduction
• Method
• Test of commercial products
13
Network Firewall Group Test Q2 2011 by NSS LABS
• Full Report $3500
• Products Tested:
Check Point Power-1 11065
Cisco ASA 5585
Fortinet Fortigate 3950
Juniper SRX 5800
Palo Alto Networks PA-4020
SonicWALL NSA E8500
• Companies are releasing firmware updates !
14
References

The TCP Split Handshake: Practical Effects on Modern Network Equipment, Macrothink Institute, Network
Protocols and Algorithms, ISSN 1943-3581, 2010, Vol. 2, No. 1
•
John, Wolfgang & Tafvelin, Sven, “Analysis of Internet Backbone Traffic and Header
Anomalies Observed”. IMC '07: Proceedings of the 7th ACM SIGCOMM conference on
Internet measurement, Pp 111-116. October 2007.

http://watchguardsecuritycenter.com/2011/04/15/what-is-the-tcp-split-handshake-attack-and-does-itaffect-me/

http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm

http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html

www.nmap.org

http://www.technicolor.com/en/hi/research-innovation/research-publications/securitynewsletters/security-newsletter-17/a-new-way-for-tcp-connection
CNL 2010
15
QUESTIONS
?
CNL 2010
16
Download