TCP Split Handshake: Practical Effects on Modern Network Equipment

Download the Macrothink Institute's paper, "The TCP Split Handshake: Practical Effects on Modern Network Equipment," written by BreakingPoint researchers.

Many network engineers might presume that the TCP three way handshake is the one, inviolate method of establishing TCP connections. A smaller percentage of engineers are also familiar with the little-used "simultaneous-open" connection method of establishing TCP connections. Researchers have discovered a third means to initiate TCP sessions, dubbed the "split-handshake" method, which blends features of both the three way handshake and the simultaneous-open connection. Popular TCP/IP networking stacks respect this novel handshaking method, including Microsoft, Apple, and Linux stacks, with no modification.

Given the novelty of the split-handshake technique, session aware devices have had very little formal testing to determine their effectiveness in relation to sessions established in this way. The authors audit a number of intrusion detection devices, NAT gateways, port scanners, and firewalls, and unexpected behavior was observed within each class of device and application. This inconsistent behavior leads to the conclusion that such network-aware devices and applications should undergo more rigorous testing by their respective manufacturers in an effort to reliably detect malicious traffic, handle network address translation more effectively, and detect the presence of servers offering this form of session establishment. Download the white paper.

Read the blog post that started it all, "TCP Portals: The Handshake's a Lie", and to validate that your firewall or IPS can handle both three-way, four-way and split handshakes register for a personalized demo.