Wiresharking TCP Split Handshake Attack

By | July 20, 2020

The TCP Split Handshake attack is initiated by server, which sends to the client non-transitionally configured handshaking packets. There is lot of rumor about a TCP split-handshake vulnerability that can affect firewalls and other networking and security devices. To understand the TCP split-handshake attack let us look how network devices handshaking during TCP connections. In the first step, client sends to server packet with Synchronize Sequence Number (SYN) to informs server that client has intention to start communication. In step 2 server responds to the client request with SYN-ACK signals in one packet: acknowledgement (ACK) to client SYN and the sequence number (SYN) that the server chooses. In the final step (ACK) client acknowledges the server response, they both confirm that connection is established and begins the actual data transfer.

Here is the simple TCP server code, the server listens on port 1234:


#include <stdio.h>
#include <sys/types.h>
#include <netinet/in.h>
int main(void)
{
   struct sockaddr_in local;
   int sckt;
   int sckt1;
   int rc;
   char buf[1];

   local.sin_family = AF_INET;
   local.sin_port = htons(1234);
   local.sin_addr.s_addr = htonl(INADDR_ANY);
   sckt = socket(AF_INET, SOCK_STREAM, 0);
   if(sckt<0)
   {
      perror("socket call");
      return -1;
   }
   rc = bind (sckt, (struct sockaddr*)&local, sizeof(local));
   if(rc<0)
   {
      perror("bind call");
      return -1;
   }
   rc = listen(sckt, 5);
   if (rc)
      {
      perror("listen call");
      return -1;
   }
   struct sockaddr_in clientaddr;
   socklen_t clientaddr_size = sizeof(clientaddr);
   sckt1 = accept(sckt, (struct sockaddr *)&clientaddr, &clientaddr_size);
   if(sckt1<0)
   {
      perror("accept call");
      return -1;
   }
   rc = recv(sckt1, buf, 1, 0);
   if(rc<0)
   {
      perror("recv call");
      return -1;
   }
   printf("\nSymbol recieved: %c\n",buf[0]);
   rc = send(sckt1, buf, 1, 0);
   if(rc<0)
   {
      perror("send call");
      return -1;
   }
   return 0;
}

If I telnet this server:


# telnet 10.199.30.6 1234

The Wireshark shows me 3-way handshaking:
3-way handshake in wireshark
The server (10.199.30.6) sends SYN-ACK response to the client (10.19.68.1) in 1 packet.

Once I looked at FortiGate Firewall log file and found the following warning:


The following intrusion was observed: “TCP.Split.Handshake”.
date=2020-07-15 time=10:10:10 devname=LADYDEBUG-COM-500 devid=AE5D0E987654321 logid=”012345678″ type=”utm” subtype=”ips” eventtype=”signature” level=”alert” vd=”root” eventtime=1594807810518758879 tz=”+0500″ severity=”medium” srcip=35.88.138.1 srccountry=”Canada” dstip=10.19.68.1 srcintf=”port8″ srcintfrole=”wan” dstintf=”CORE” dstintfrole=”lan” sessionid=102938486 action=”detected” proto=6 service=”SSH” policyid=9 attack=”TCP.Split.Handshake” srcport=22 dstport=22 direction=”outgoing” attackid=26339 profile=”default” ref=”http://www.fortinet.com/ids/VID26339″ incidentserialno=1209348756 msg=”a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED” crscore=10 craction=16384 crlevel=”medium”

First of all I checked how slitting is looked like in Wireshark and found that server does not send normal sends SYN-ACK response:
3-way handshake in wireshark
So it is split and wireshark could capture only one part of it.
I am out of time to dig all details of this attack and prefer not copy and paste its features from our sites, just adding two links about split handshaking:

What is the TCP Split-Handshake Attack and Does It Affect Me?

The TCP Split Handshake: Practical Effects on Modern Network Equipment

Leave a Reply

Your email address will not be published. Required fields are marked *