Presentation is loading. Please wait.

Presentation is loading. Please wait.

TCP SPLIT HANDSHAKE ATTACK Mehmet Burak AKGÜN 04/27/2011.

Published byJoel Gibson Modified over 8 years ago

Similar presentations

Presentation on theme: "TCP SPLIT HANDSHAKE ATTACK Mehmet Burak AKGÜN 04/27/2011."— Presentation transcript:

1 TCP SPLIT HANDSHAKE ATTACK Mehmet Burak AKGÜN 04/27/2011

2 Outline Introduction Attack Mechanism NSS LABS Test Results 2

3 Introduction TCP Transport Layer Protocol Connection Oriented State-full sequence # 3

4 Introduction TCP Reliability ACK/NACK Flow Control Congestion Control Slow start /Automatic Repeat Request 4

5 3-way Handshake SYN – client initiates – Sets sequence number to random number SYN/ACK – Server generates own random number ACK – Connection Established 5

6 Outline Introduction Method Test of commercial products 6

7 RFC 793 - TCP State Diagram 7 Section 3.3 of RFC 793 defines TCP handshake as a 4 step process. Thus designed state diagram allows receiving only SYN while in SYN_SENT state. RFC 793 definition of TCP Handshake

8 Simultaneous Open Mode 4 step handshaking allows Simultaneous Open Mode 8

9 SPLIT SYN/ACK 9 Malicious Server splits the SYN/ ACK and sends ACK only. 5 step TCP SPLIT

10 SPLIT SYN/ACK 10 Step two (the server's initial ACK), appears to have no effect on establishing a new TCP session, and may optionally dropped.

11 So What Can an Attacker Accomplish with this Attack? 11 The attacker has reversed the logical direction of the client’s initial connection

12 Scenario Say an unpatched client in your network connects to a malicious drive-by download web server that is not leveraging the split-handshake attack. The malicious web site tries to get your client to execute some javascript that forces your client to download malware. If you have gateway IPS and AV, your IPS may detect the malicious javascript, or your AV may catch the malware. In either case, your security scanning would block the attack. However, if the malicious web server adds the TCP split-handshake connection to the same attack, your IPS and AV systems may be confused by the direction of the traffic, and not scan the web server’s content. Now the malicious drive-by download would succeed, despite your gateway security protection. CNL 2010 12

13 Outline Introduction Method Test of commercial products 13

14 Network Firewall Group Test Q2 2011 by NSS LABS Full Report $3500 Products Tested: Check Point Power-1 11065 Cisco ASA 5585 Fortinet Fortigate 3950 Juniper SRX 5800 Palo Alto Networks PA-4020 SonicWALL NSA E8500 Companies are releasing firmware updates ! 14

15 References  The TCP Split Handshake: Practical Effects on Modern Network Equipment, Macrothink Institute, Network Protocols and Algorithms, ISSN 1943-3581, 2010, Vol. 2, No. 1 John, Wolfgang & Tafvelin, Sven, “Analysis of Internet Backbone Traffic and Header Anomalies Observed”. IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, Pp 111-116. October 2007.  http://watchguardsecuritycenter.com/2011/04/15/what-is-the-tcp-split-handshake-attack-and-does-it- affect-me/ http://watchguardsecuritycenter.com/2011/04/15/what-is-the-tcp-split-handshake-attack-and-does-it- affect-me/  http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm  http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html  www.nmap.org www.nmap.org  http://www.technicolor.com/en/hi/research-innovation/research-publications/security- newsletters/security-newsletter-17/a-new-way-for-tcp-connection http://www.technicolor.com/en/hi/research-innovation/research-publications/security- newsletters/security-newsletter-17/a-new-way-for-tcp-connection CNL 2010 15

16 QUESTIONS ? CNL 2010 16

Download ppt "TCP SPLIT HANDSHAKE ATTACK Mehmet Burak AKGÜN 04/27/2011."

Similar presentations

Introduction 1 Lecture 13 Transport Layer (Transmission Control Protocol) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer.

Introduction 1 Lecture 13 Transport Layer (Transmission Control Protocol) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Ensuring the Reliability of Data Delivery © 2004 Cisco Systems, Inc. All rights reserved. Establishing a TCP Connection INTRO v2.0—6-1.

Ensuring the Reliability of Data Delivery © 2004 Cisco Systems, Inc. All rights reserved. Establishing a TCP Connection INTRO v2.0—6-1.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.

Computer Networks Transport Layer. Topics F Introduction  F Connection Issues F TCP.
EEC-484/584 Computer Networks Lecture 13 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 13 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Chapter 16 Stream Control Transmission Protocol (SCTP)

Chapter 16 Stream Control Transmission Protocol (SCTP)
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Sales Kickoff - ARCserve

Sales Kickoff - ARCserve
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
11 September 2015 RE Meyers, Ms.Ed. CCENT 640-822 ICND1 Exam Topics Review Describe the Operation of Data Networks: Network Diagrams and Data Paths.

11 September 2015 RE Meyers, Ms.Ed. CCENT ICND1 Exam Topics Review Describe the Operation of Data Networks: Network Diagrams and Data Paths.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Similar presentations

Ads by Google