Yes, it is possible, on a Linux server with SynCookies enabled.
sysctl -a | grep net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 1
Steps (howto):
- During the 3-way handshake, the client sends a ACK packet (3rd packet) to the server with a value one more than the expected value.
- The Linux server will response with a RST at the 4th packet. - > fool the IDS that the TCP connection is terminated.
- Then, the client can continue to send EVIL stuff to the server.
Summary:
- TCP SynCookies is used to combat Syn flood (DoS) attack.
- By right, should see a re-transmit of SYN+ACK instead of RST, by the server.
- The faked ACK packet (4th) is just a stray packet (in SynCookies).
- The subsequent GET /EVIL packet (5th), is considered as valid final ACK of three-way handshake since the syn-cookie will match.
- With Snort IDS, the default stream5 policy of "windows" will not be fooled by this because of what it considers an invalid reset sequence number.
Source articles:
Source codes:
- FakeRST (by famousjs)
- Scapy Code for Bad ACK Reset