Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
https://forum.ivorde.com/

Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)
https://forum.ivorde.com/juniper-srx-testcase-how-to-block-tcp-syn-packets-with-data-segment-bytes-strict-syn-check-t3802.html
Page 1 of 1

Author:  admin [ Tue Jun 19, 2012 8:38 am ]
Post subject:  Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)

SRX 'strict-syn-check' option allows for blocking split handshake [url]nmap.org/misc/split-handshake.pdf[/url] and for dropping TCP SYN packets containing data.

Code:
set security flow tcp-session strict-syn-check


According to TCP RFC 793, SYN packets take place before first data segment and FIN packets get dropped after last segment. This means that SYN packets containing data are an anomaly.

As per documentation:
Quote:
Enables the strict three-way handshake check for the TCP session. It
enhances security by dropping data packets before the three-way handshake
is done.



Testcase:
Injecting a syn packet with payload using nemesis:
Code:
# nemesis tcp -S 172.31.0.2 -D 172.31.1.2 -y 80 -fS -P /tmp/1300b -FD
# wc -c /tmp/1300b
    1324 /tmp/1300b


Code:
Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  make_nsp_ready_no_resolve()

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  route lookup: dest-ip 172.31.0.2 orig ifp vlan.210 output_ifp vlan.210 orig-zone 8 out-zone 8 vsd 0

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  route to 172.31.0.2

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:no need update ha

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:Installing c2s NP session wing

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  flow got session.

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:  flow session id 27542

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: vector bits 0x6 vector 0x4a56aa60

Jun 14 20:19:06 20:19:06.286006:CID-0:RT:ttl vector, out_tunnel = 0x50ba7f08

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: tcp strict 3way handshake check: tcp flag 0x2, datalen=1324

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: tcp 3way handshake check fail

Jun 14 20:19:06 20:19:06.286006:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)


Few notes on the above debug info:
- 172.31.0.2 is the source IP
- flag 0x2 = 2 power 1 = SYN flag packet containing 1324 bytes of data, as seen in the table below
Code:
            |C|E|U|A|P|R|S|F|
            |---------------|
            |7 6 5 4 3 2 1 0|

- strict syn check fails.

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/