Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Tue Sep 28, 2021 2:24 am


Username:
Subject:
Message body:
Enter your message here, it may contain no more than 60000 characters. 

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
 
Font colour
Options:
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.
     

Topic review - Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)
Author Message
Post subject: Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)  |  Post Posted: Tue Jun 19, 2012 8:38 am
SRX 'strict-syn-check' option allows for blocking split handshake [url]nmap.org/misc/split-handshake.pdf[/url] and for dropping TCP SYN packets containing data.

Code:
set security flow tcp-session strict-syn-check


According to TCP RFC 793, SYN packets take place before first data segment and FIN packets get dropped after last segment. This means that SYN packets containing data are an anomaly.

As per documentation:
Quote:
Enables the strict three-way handshake check for the TCP session. It
enhances security by dropping data packets before the three-way handshake
is done.



Testcase:
Injecting a syn packet with payload using nemesis:
Code:
# nemesis tcp -S 172.31.0.2 -D 172.31.1.2 -y 80 -fS -P /tmp/1300b -FD
# wc -c /tmp/1300b
    1324 /tmp/1300b


Code:
Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  make_nsp_ready_no_resolve()

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  route lookup: dest-ip 172.31.0.2 orig ifp vlan.210 output_ifp vlan.210 orig-zone 8 out-zone 8 vsd 0

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  route to 172.31.0.2

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:no need update ha

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:Installing c2s NP session wing

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  flow got session.

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  flow session id 27542

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: vector bits 0x6 vector 0x4a56aa60

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:ttl vector, out_tunnel = 0x50ba7f08

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: tcp strict 3way handshake check: tcp flag 0x2, datalen=1324

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: tcp 3way handshake check fail

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Few notes on the above debug info:
- 172.31.0.2 is the source IP
- flag 0x2 = 2 power 1 = SYN flag packet containing 1324 bytes of data, as seen in the table below
Code:
            |C|E|U|A|P|R|S|F|
            |---------------|
            |7 6 5 4 3 2 1 0|

- strict syn check fails.
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO