1 / 16

TCP SPLIT HANDSHAKE ATTACK

TCP SPLIT HANDSHAKE ATTACK. Mehmet Burak AKGÜN 04/27/2011. Outl ine. Introduction Attack Mechanism NSS LABS Test Results. Introduction . TCP Transport Layer Protocol Connection Oriented State-full sequence #. Introduction . TCP Reliability ACK/NACK Flow Control

wayne
Download Presentation

TCP SPLIT HANDSHAKE ATTACK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TCP SPLIT HANDSHAKE ATTACK Mehmet Burak AKGÜN 04/27/2011

  2. Outline • Introduction • Attack Mechanism • NSS LABS Test Results

  3. Introduction TCP • Transport Layer Protocol • Connection Oriented • State-full • sequence #

  4. Introduction TCP • Reliability ACK/NACK • Flow Control • Congestion Control Slow start /Automatic Repeat Request

  5. 3-way Handshake • SYN • client initiates • Sets sequence number to random number • SYN/ACK • Server generates own random number • ACK • Connection Established

  6. Outline • Introduction • Method • Test of commercial products

  7. RFC 793 - TCP State Diagram RFC 793 definition of TCP Handshake • Section 3.3 of RFC 793 defines TCP handshake as a 4 step process. • Thus designed state diagram allows receiving only SYN while in SYN_SENT state.

  8. Simultaneous Open Mode • 4 step handshaking allows Simultaneous Open Mode

  9. SPLIT SYN/ACK 5 step TCP SPLIT • Malicious Server splits the SYN/ ACK and sends ACK only.

  10. SPLIT SYN/ACK Step two (the server's initial ACK), appears to have no effect on establishing a new TCP session, and may optionally dropped.

  11. So What Can an Attacker Accomplish with this Attack? The attacker has reversed the logical direction of the client’s initial connection

  12. Scenario • Say an unpatched client in your network connects to a malicious drive-by download web server that is not leveraging the split-handshake attack. The malicious web site tries to get your client to execute some javascript that forces your client to download malware. If you have gateway IPS and AV, your IPS may detect the malicious javascript, or your AV may catch the malware. In either case, your security scanning would block the attack. • However, if the malicious web server adds the TCP split-handshake connection to the same attack, your IPS and AV systems may be confused by the direction of the traffic, and not scan the web server’s content. Now the malicious drive-by download would succeed, despite your gateway security protection. CNL 2010

  13. Outline • Introduction • Method • Test of commercial products

  14. Network Firewall Group Test Q2 2011 by NSS LABS • Full Report $3500 • Products Tested: Check Point Power-1 11065 Cisco ASA 5585 Fortinet Fortigate 3950 Juniper SRX 5800 Palo Alto Networks PA-4020 SonicWALL NSA E8500 • Companies are releasing firmware updates !

  15. References • The TCP Split Handshake: Practical Effects on Modern Network Equipment, Macrothink Institute, Network Protocols and Algorithms, ISSN 1943-3581, 2010, Vol. 2, No. 1 • John, Wolfgang & Tafvelin, Sven, “Analysis of Internet Backbone Traffic and Header Anomalies Observed”. IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, Pp 111-116. October 2007. • http://watchguardsecuritycenter.com/2011/04/15/what-is-the-tcp-split-handshake-attack-and-does-it-affect-me/ • http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm • http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html • www.nmap.org • http://www.technicolor.com/en/hi/research-innovation/research-publications/security-newsletters/security-newsletter-17/a-new-way-for-tcp-connection CNL 2010

  16. QUESTIONS ? CNL 2010

More Related