Answer
Assume
this is the topology diagram
By the topology above we can assume :
2-
At
the firewall device we set NAT to translate private to public IP address.
3-
User
can access the web server using web browser which HTTP is it’s application
protocol.
4-
Transport
protocol for HTTP is TCP.
5-
At
normal condition TCP using three way handshake to initiate the connection.
7-
Hacker
can combine TCP three way handshake and simultaneous open handshake by using TCP
split handshake which it is one of the firewall weakness.
User can acceswww.acme-art.inc using web browser with HTTP port 80. HTTP protocol is running over
TCP as it’s transport protocol. We ussualy think that system will be secure
because the company’s assets are protected by firewall device. But the fact
that there are some weakness of this appliance. One of the firewall’s weakness
is they can not handle “TCP split handsake”.
TCP is connection-oriented protocol, so it requires connection
establishment before data transfer begins.Normally TCP using three way
handshake to start their connection. This figure will show us how three way
handshake is built.
For a connection to be
established or initialized, the two hosts must synchronize on each other's
initial sequence numbers (ISN). The synchronization requires each side to send
its own initial sequence number and to receive a confirmation of its successful
transmission within the acknowledgment (ACK) from the other side.
A simultaneous open connection,
both a client and server send a SYN packet to each other at about the same
time. Then both sides also send ACK packets to each other in response.
Split-handshake combines aspects of the normal three-way handshake
with the simultaneous-open handshake. Essentially, a client sends a SYN packet
to a server, intending to complete a normal three-way handshake. However,
rather than completing the client’s three-way handshake, a malicious server
starts by replying as though it were doing a simultaneous-open connection, and
then starts its own three-way handshake in the other direction — from server to
client. So in essence, even though the client started the connection to the
server, the logical direction of this connection gets reversed.
Here the real world example. Say an unpatched client in the network
connects to a malicious drive-by download web server that is not leveraging the
split-handshake attack. The malicious web site tries to get client to execute
some javascript that forces client to
download malware. If you have gateway IPS and AV, IPS may detect the malicious javascript,
or AV may catch the malware. In either
case, security scanning would block the
attack.
However, if the malicious web server adds the TCP split-handshake
connection to the same attack, IPS and
AV systems may be confused by the direction of the traffic, and not scan the
web server’s content. Now the malicious drive-by download would succeed,
despite gateway security protection.
So to summarize, the TCP split-handshake attack may help malicious
servers to bypass security scanning services on
gateway security devices. However, it will not allow external attackers
to bypass firewall policies, and it
requires an internal client start the connection in the first place.
Source :
all sources are accessed at September 19, 2013
0 komentar:
Posting Komentar