Technical Tip: How to block the 'TCP split handshake' in intrusion prevention

pjawalekar · ‎12-08-2022

Description

This article describes how to block the 'TCP split handshake' in intrusion prevention.

Scope

FortiGate.

Solution

TCP is a connection-oriented protocol. The host initiating the connection referred as the client sends to its peer, referred as the server, a synchronization packet, or SYN.

Upon reception of the SYN packet, the server acknowledges that and generates its own SYN and ack, this is 'SYN/ACK'.

In order to establish the session, the client concludes the Three-Way Handshake and acknowledges the server’s SYN/ACK, sending a packet with its own SYN incremented by one, as well as its acknowledgment number equal to the server’s SYN plus 1.

However, there are few other ways also to establish the TCP connection which are the split handshake and simultaneous open handshake. The table below illustrates how is the behavior:

4-way split handshake	4-way split handshake	Simultaneous open	5-way split handshake
1. Client --> Server SYN	1. Client --> Server SYN	1. Client --> Server SYN	1. Client --> Server SYN

2. Client <-- Server ACK	2. Client <-- Server SYN	2. Client <-- Server SYN	2. Client <-- Server ACK

3. Client <-- Server SYN	3. Client --> Server SYN/ACK	3. Client --> Server SYN/ACK	3. Client <-- Server SYN

4. Client --> Server ACK	4. Client <-- Server ACK	4. Client <-- Server SYN/ACK	4. Client --> Server SYN/ACK

			5. Client ß Server ACK

While being valid TCP handshakes, it can confuse some network security devices into not properly processing a TCP flow.

Note that the FortiGate firewall correctly handles split handshakes and simultaneous open sessions and all Layer 7 processes using this kind of handshake.

By adding this feature, it is added the possibility to simply drop TCP Split Handshake (server SYN) in the security profile in the policy. If this setting is enabled, any SYN packet from the server is dropped. This will prevent a complete handshake using any of the 4 or 5-way handshakes.

In short, Split Handshake option in firewall is to prevent TCP session from being established if the session establishment procedure does not use the well-known three-way handshake, but instead uses a variation, such as a four-way or five-way split handshake or a simultaneous open.

When the Split Handshake option is configured and the profile is applied, TCP sessions for interfaces must be established using the standard three-way handshake, variations are not allowed.

To check the 'TCP.Split.Handshake' default/current settings in the Firewall, navigate to:

security profile -> IPS Signatures -> search with signature 'TCP.Split.Handshake'.

The default action is 'pass' for the 'TCP.Split.Handshake' signature.

To block the 'TCP.Split.Handshake' settings in the Firewall, navigate to:

security profile -> Intrusion Prevention -> Open the IPS profile to edit -> Under the IPS Signatures and Filters -> Create new -> Search with 'TCP.Split.Handshake' -> under Type select Signatures -> set action to Block and status to enable -> Save the changes.