Check Point response to "Off-Path TCP Sequence Number Inference Attack"
There are two settings related to sequence verification:
- Sequence Verifier IPS protection (disabled by default) - affects TCP connections inspected by the firewall, but not other software blades.
- TCP Out of Sequence IPS engine setting (enabled by default) - affects TCP connections that are inspected by IPS, Application & URL Filtering, DLP, Anti-Spam and Mail, Anti-Bot and Anti-Virus software blades. (In R80.x, "engine settings" are called "Inspection Settings".)
Customers who do not use software blades in (2) and did not enable the Sequence Verifier IPS protection are not vulnerable to this attack. (In R80.x, "Sequence Verifier" is no longer available in "IPS Protections", but in "Inspection Settings".)
Customers who use software blades in (2) or have enabled the Sequence Verifier IPS protection should use one of the suggested solutions.
Solution 1: Disable Sequence Verification
Disable Sequence Verification, by changing "Sequence Verifier" action to "Inactive" and "TCP Out of Sequence" action to "Accept".
Solution 2: Use Initial Sequence Number (ISN) Spoofing
Customers who require sequence verification may use the "Initial Sequence Number (ISN) Spoofing" IPS protection to mitigate the attack. The "Minimal ISN entropy" parameter should be set to "32".
The paper assumes that the ISN has 24-bit entropy, which yields a 225 TCP sequence number space that should be searched for a valid sequence number (refer to the paper for explanation). ISN Spoofing protection will increase the search space to 232, or by 27=128 times, which subsequently will increase time and bandwidth requirements of the attack by 128 times.
To do so:
- Go to the IPS blade and select Protections. Look for Initial Sequence Number (ISN) Spoofing. (IPS Software Blade->Network Security->Fingerprint Scrambling->Initial Sequence Number (ISN) Spoofing.)
- Edit protection->click Override IPS Policy with: Active and under Initial Sequence Number Settings set Minimal ISN entropy to 32 bits. (Note: In R80.30, "Active" is "Accept".)
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.