The TCP Split Handshake attack is initiated by server, which sends to the client non-transitionally configured handshaking packets. There is lot of rumor about a TCP split-handshake vulnerability that can affect firewalls and other networking and security devices. To understand the TCP split-handshake attack let us look how network devices handshaking during TCP connections. In the first step, client sends to server packet with Synchronize Sequence Number (SYN) to informs server that client has intention to start communication. In step 2 server responds to the client request with SYN-ACK signals in one packet: acknowledgement (ACK) to client SYN and the sequence number (SYN) that the server chooses. In the final step (ACK) client acknowledges the server response, they both confirm that connection is established and begins the actual data transfer.
Here is the simple TCP server code, the server listens on port 1234:
struct sockaddr_in local;
local.sin_family = AF_INET;
If I telnet this server:
# telnet 10.199.30.6 1234
Once I looked at FortiGate Firewall log file and found the following warning:
The following intrusion was observed: “TCP.Split.Handshake”.
date=2020-07-15 time=10:10:10 devname=LADYDEBUG-COM-500 devid=AE5D0E987654321 logid=”012345678″ type=”utm” subtype=”ips” eventtype=”signature” level=”alert” vd=”root” eventtime=1594807810518758879 tz=”+0500″ severity=”medium” srcip=220.127.116.11 srccountry=”Canada” dstip=10.19.68.1 srcintf=”port8″ srcintfrole=”wan” dstintf=”CORE” dstintfrole=”lan” sessionid=102938486 action=”detected” proto=6 service=”SSH” policyid=9 attack=”TCP.Split.Handshake” srcport=22 dstport=22 direction=”outgoing” attackid=26339 profile=”default” ref=”http://www.fortinet.com/ids/VID26339″ incidentserialno=1209348756 msg=”a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED” crscore=10 craction=16384 crlevel=”medium”
First of all I checked how slitting is looked like in Wireshark and found that server does not send normal sends SYN-ACK response:
So it is split and wireshark could capture only one part of it.
I am out of time to dig all details of this attack and prefer not copy and paste its features from our sites, just adding two links about split handshaking: