Jul 1, 2010

IDS Evasion with Syncookies

Is it possible that after a destination host (server) sends you a RST packet, you still can continue to send the server some data and continue the connections?

Yes, it is possible, on a Linux server with SynCookies enabled.

sysctl -a | grep net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 1

Steps (howto):

  • During the 3-way handshake, the client sends a ACK packet (3rd packet) to the server with a value one more than the expected value.
  • The Linux server will response with a RST at the 4th packet. - > fool the IDS that the TCP connection is terminated.
  • Then, the client can continue to send EVIL stuff to the server.
Summary:
  • TCP SynCookies is used to combat Syn flood (DoS) attack.
  • By right, should see a re-transmit of SYN+ACK instead of RST, by the server.
  • The faked ACK packet (4th) is just a stray packet (in SynCookies).
  • The subsequent GET /EVIL packet (5th), is considered as valid final ACK of three-way handshake since the syn-cookie will match.
  • With Snort IDS, the default stream5 policy of "windows" will not be fooled by this because of what it considers an invalid reset sequence number.

Source articles:


Source codes: