# Pf & TCP Split Handshake



## RattleAndHum (Apr 13, 2011)

Hello,
today the TCP Split Handshake spoof (or Sneak-ACK attack) was in the news and that some commercial firewalls are not handling these. What about Pf running on FreeBSD (7.4 and 8.x)?
A .pdf about the TCP Split Handshare spoof: http://nmap.org/misc/split-handshake.pdf
Regards,
Lars.


----------



## gkontos (Apr 13, 2011)

RattleAndHum said:
			
		

> Hello,
> today the TCP Split Handshake spoof (or Sneak-ACK attack) was in the news and that some commercial firewalls are not handling these. What about Pf running on FreeBSD (7.4 and 8.x)?
> A .pdf about the TCP Split Handshare spoof: http://nmap.org/misc/split-handshake.pdf
> Regards,
> Lars.


This has been around for a year now.

This is mainly a IP/V4 problem. Looking forward to IPV6...


----------



## SirDice (Apr 14, 2011)

gkontos said:
			
		

> This is mainly a IP/V4 problem. Looking forward to IPV6...


I'm not so sure about that. If I'm not mistaken even IPv6 uses RFC-793 (which is where this 'split handshake' is defined).

But besides that, I'm not getting the "problem" here. A client sends a SYN and it's the server that does the split handshake. So I'm wondering how this would circumvent any firewall rules. Perhaps it's not so much a way to circumvent the firewall but more a way to covertly create a connection.

I really need to read that document more closely when I have some time.


----------



## gkontos (Apr 15, 2011)

You are right at both however IPV6 offers some integrated security that V4 lacks. Now, regarding if this is a firewall issue or not. Again it is and it isn't! If a firewall's only job is to permit / deny packets according to rules then it is not. But most modern firewalls have the ability to block certain attacks that are based on protocol abuse such as SYN flooding etc. So, in other words a modern firewall with an integrated NIDS should be able to detect such an attack and reject it. Again this is all rhetorical...

Regards,


----------



## mamalos (Apr 16, 2011)

patrida (@gkontos),

I haven't read the pdf, and I don't know what this TCP Split Handshake spoof is, but what RattleAndHum might be implying is that through this technique one may bypass packet filtering firewalls if they cannot handle "such" packets correctly. For example, if such an attack could "magically" confuse the state engine of a firewall and allow the attacker to send traffic behind the firewall, then this would be a firewall issue. If not, then you're right, it would be an IDS issue.


----------



## chavez243ca (Apr 22, 2011)

Mainly, NSS was referencing NextGen Firewalls - UTM types - gear that is doing deep packet inspection (IDS/IPS, malware filtering etc.)  Big dollar items and not so much about good ole stateful FW.

I've got a lab setup and I'm currently working with the ruby fakestack.rb tool to try to reproduce what NSS claims to have seen.  However thus far, using both a BSD and Debian server side (running fakestack) my results have not jived.

This is becoming a really over-hyped and misunderstood networking anomaly.  I'll try to remember to chirp back in here once I have some more concrete results.

It seems to be a really synthetic and highly theoretical problem.


----------

