Firewall software open to TCP handshake hack, says NSS Labs

Discussion in 'other firewalls' started by lotuseclat79, Apr 14, 2011.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,103
  2. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    Very interesting.
    Any idea how our, consumer grade, firewalls might behave? Especially those where few computers are hooked to a router and often IPs setup as trusted for everything. I suspect ZA will see it, but what about all others?
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    A thread concerning packet filtering, quite unusual.

    This is about how firewalls/NAT handle (allow or block) TCP simultaneous-open. It is a test I made (when I had the time/inclination to test) on firewalls.


    - Stem
     
  4. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    Did they really mean "not vulnerable" or just the opposite considering this further quote
    Regardless, Stem, can you explain this "TCP Split Handshake" process a bit further. I realize you haven't tested firewalls recently, but an explanation of the process would be very interesting to hear. Especially, us, consumer firewall users with tiny LANs behind a Linksys router, for instance.

    I'm using packet filter firewall(s) so I'm interested to learn more :)
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK

    There is a PDF at nmap that explains. Direct download link http://nmap.org/misc/split-handshake.pdf


    - Stem
     
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    Stem, thank you. Very interesting reading with good illustrations of the many flavors of handshake in your link above.
    About simultaneous open, split handshake, implications for NAT.
    Good paper.
    Some is proof of concept and great material for hackers, but really worth reading, even if to only get a drift :)
     
  7. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    I have the feeling i ve observed strange things that seem to be similar to what is described here since 2007 on some of my routers.
    And as this is now public we can presume hackers use something else already :)
     
Loading...
Thread Status:
Not open for further replies.