[Owasp-turkey] Fwd: Split Handshake Attack

Ömer Altundal omeraltundal at hotmail.com
Thu Jun 3 06:13:02 EDT 2010


 
Son SYN'i yeni bir session gibi mi düşünüp, sanki içeriden dışarıya istek var gibi mi davranıyor? Ama IDS'in bunu yakalaması lazım???


 
 
Ömer Faruk Altundal.
 
omeraltundal at hotmail.com
 



 


 

> Date: Thu, 3 Jun 2010 00:02:32 +0300
> From: musaulker at gmail.com
> To: netsec at lifeoverip.net; owasp-turkey at lists.owasp.org
> Subject: [Owasp-turkey] Fwd: Split Handshake Attack
> 
> Bu atak konusunda bilginiz var mı arkadaşlar? İlginç geldi..
> 
> --------
> This is awesome.  The usual handshake is SYN, SYN/ACK, ACK, like this:
> 
> Client     SYN -->           Server
> Client     <-- SYN/ACK   Server
> Client     ACK -->           Server
> 
> However, there are permitted variations on this handshake, such as
> this one in which both parties open a session simultaneously:
> 
> Client     SYN -->           Server
> Client     <-- ACK           Server
> Client     <-- SYN           Server
> Client     ACK -->           Server
> 
> That's legal according to the RFCs, but when you do it on real modern
> operating systems, it comes out like this:
> 
> Client     SYN -->           Server
> Client     <-- ACK           Server
> Client     <-- SYN           Server
> Client     SYN/ACK -->   Server
> Client     <-- ACK           Server
> 
> In practice, this really opens a session so data can flow.  But it
> confuses IDS systems so much that they let attacks go right through--
> they don't know what's going on.  Snort, TippingPoint 2400, and
> Juniper SRX 5800 all failed to detect attacks sent after that
> handshake.
> 
> More info here: http://bit.ly/9tUfb9
> 
> -- 
> M.Musa Ülker
> _______________________________________________
> Owasp-turkey mailing list
> Owasp-turkey at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-turkey
 		 	   		  
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-turkey/attachments/20100603/8c31c013/attachment.html 


More information about the Owasp-turkey mailing list