TCP Split Handshake spoof

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

TCP Split Handshake spoof

Not applicable

Hi, i would appreciate if someone from the PA team could address the following question.

In the recent NSS Labs Firewall Comparative Group Test Report Q1 2011. Of the 6 products review and tested, 5 were suseptible to the above type attack. For details ( http://www.securityweek.com/testing-lab-exposes-major-flaws-industry-leading-firewalls )

Q: Can someone advise if PA was one of the failed vendors? if so then were any changes made to address the issue? can we get any information as to how PA did in this review/test?

I look forward to your reply, many thanks

1 accepted solution

Accepted Solutions

L3 Networker

Here is an overview of the TCP Split Handshake Evasion Technique, plus status for a fix in PAN-OS

Overview:  The TCP split handshake evasion technique is designed to confuse content decoder state machines, allowing a vulnerability exploit or similar threat to bypass detection from network-based security devices.  The evasion technique works  by modifying the standard TCP 3-way handshake in a way that can confuse a decoder state machine.  The connection starts with the SYN from client to server, then a SYN/ACK back as normal, but then a second SYN is sent from the server back to the client.  Although the client will ignore this second SYN packet, it confuses many decoder engines into thinking that the session was initiated in the opposite direction.  The net result is that functions based on a decoder (such as App-ID and threat detection) will be inaccurate.  Additional details on how a TCP split handshake evasion works can be found in this document http://nmap.org/misc/split-handshake.pdf.


For the above evasion technique to work, the server must first be compromised as it is initiating the evasion technique.  If this is done, though, then the result is the possibility of bypassing correct application classification and threat detection within the Palo Alto Networks device.

It should be noted that this evasion technique has not yet been documented in use in the wild, probably because there are much easier evasion techniques - simply turn on SSL for encrypted communication.  Nearly all firewalls and IPSs cannot decrypt SSL traffic, although Palo Alto Networks next generation firewalls can decrypt SSL traffic in both outbound and inbound directions.


Affected PAN-OS versions:  PAN-OS 4.0.2 running on any Palo Alto Networks hardware platform prevents this evasion technique by alerting that the split handshake was seen and correctly decoding the traffic.  PAN-OS 3.1.9 is currently in process is expected to be available by late April or early May.  Other PAN-OS versions are currently susceptible to this evasion technique.


Workaround:  Enabling SYN cookies will prevent this evasion from working as well, since SYN cookies force a correct 3-way handshake. 

Thanks,

Lee

View solution in original post

2 REPLIES 2

L3 Networker

Here is an overview of the TCP Split Handshake Evasion Technique, plus status for a fix in PAN-OS

Overview:  The TCP split handshake evasion technique is designed to confuse content decoder state machines, allowing a vulnerability exploit or similar threat to bypass detection from network-based security devices.  The evasion technique works  by modifying the standard TCP 3-way handshake in a way that can confuse a decoder state machine.  The connection starts with the SYN from client to server, then a SYN/ACK back as normal, but then a second SYN is sent from the server back to the client.  Although the client will ignore this second SYN packet, it confuses many decoder engines into thinking that the session was initiated in the opposite direction.  The net result is that functions based on a decoder (such as App-ID and threat detection) will be inaccurate.  Additional details on how a TCP split handshake evasion works can be found in this document http://nmap.org/misc/split-handshake.pdf.


For the above evasion technique to work, the server must first be compromised as it is initiating the evasion technique.  If this is done, though, then the result is the possibility of bypassing correct application classification and threat detection within the Palo Alto Networks device.

It should be noted that this evasion technique has not yet been documented in use in the wild, probably because there are much easier evasion techniques - simply turn on SSL for encrypted communication.  Nearly all firewalls and IPSs cannot decrypt SSL traffic, although Palo Alto Networks next generation firewalls can decrypt SSL traffic in both outbound and inbound directions.


Affected PAN-OS versions:  PAN-OS 4.0.2 running on any Palo Alto Networks hardware platform prevents this evasion technique by alerting that the split handshake was seen and correctly decoding the traffic.  PAN-OS 3.1.9 is currently in process is expected to be available by late April or early May.  Other PAN-OS versions are currently susceptible to this evasion technique.


Workaround:  Enabling SYN cookies will prevent this evasion from working as well, since SYN cookies force a correct 3-way handshake. 

Thanks,

Lee

Thanks for the reply Lee - appreciate it. I will follow up with support re: zone-protection profile and syn cookies enablement.

  • 1 accepted solution
  • 2659 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!