Support Center > Search Results > SecureKnowledge Details
Check Point response to "Off-Path TCP Sequence Number Inference Attack" Technical Level
  • Researchers at the University of Michigan have published a paper Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security.

  • This attack identifies the current sequence range of a TCP connection, by exploiting the fact that firewalls drop out-of-window TCP packets. After the sequence range is identified, an off-path attacker may inject data or hijack the TCP connection.

  • Client applications that use cleartext connections (e.g., HTTP and not HTTPS) are potential targets for these attacks.

There are two settings related to sequence verification:

  1. Sequence Verifier IPS protection (disabled by default) - affects TCP connections inspected by the firewall, but not other software blades.

  2. TCP Out of Sequence IPS engine setting (enabled by default) - affects TCP connections that are inspected by IPS, Application & URL Filtering, DLP, Anti-Spam and Mail, Anti-Bot and Anti-Virus software blades. (In R80.x, "engine settings" are called "Inspection Settings".)

Customers who do not use software blades in (2) and did not enable the Sequence Verifier IPS protection are not vulnerable to this attack. (In R80.x, "Sequence Verifier" is no longer available in "IPS Protections", but in "Inspection Settings".)

Customers who use software blades in (2) or have enabled the Sequence Verifier IPS protection should use the suggested solution.


Use Initial Sequence Number (ISN) Spoofing

Customers who require sequence verification may use the "Initial Sequence Number (ISN) Spoofing" IPS protection to mitigate the attack. The "Minimal ISN entropy" parameter should be set to "32".

The paper assumes that the ISN has 24-bit entropy, which yields a 225 TCP sequence number space that should be searched for a valid sequence number (refer to the paper for explanation). ISN Spoofing protection will increase the search space to 232, or by 27=128 times, which subsequently will increase time and bandwidth requirements of the attack by 128 times.

To do so:

  1. Go to the IPS blade and select Protections. Look for Initial Sequence Number (ISN) Spoofing. (IPS Software Blade->Network Security->Fingerprint Scrambling->Initial Sequence Number (ISN) Spoofing.)
  2. Edit protection->click Override IPS Policy with: Active and under Initial Sequence Number Settings set Minimal ISN entropy to 32 bits. (Note: In R80.30, "Active" is "Accept".)
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document