Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer
 Support Center > Search Results > SecureKnowledge Details
Support Center
 Print    Email
Check Point response to "Off-Path TCP Sequence Number Inference Attack"

Solution ID: sk74640
Severity: Low
Product: Security Gateway
Version: All
Date Created: 24-May-2012
Last Modified: 14-Mar-2013
Rate this document
[1=Worst,5=Best]
Symptoms
  • Researchers at the University of Michigan have published a paper "Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security".

  • This attack identifies the current sequence range of a TCP connection, by exploiting the fact that firewalls drop out-of-window TCP packets. After the sequence range is identified, an off-path attacker may inject data or hijack the TCP connection.

  • Client applications that use cleartext connections (e.g., HTTP and not HTTPS) are potential targets for these attacks.
Cause

There are two settings related to sequence verification:

  1. Sequence Verifier IPS protection (disabled by default) - affects TCP connections inspected by the firewall, but not other software blades.

  2. TCP Out of Sequence IPS engine setting (enabled by default) - affects TCP connections that are inspected by IPS, Application & URL Filtering, DLP, Anti-Spam and Mail, Anti-Bot and Anti-Virus software blades.

Customers who do not use software blades in (2) and did not enable the Sequence Verifier IPS protection are not vulnerable to this attack.

Customers who use software blades in (2) or have enabled the Sequence Verifier IPS protection should use one of the suggested solutions.


Solution

Solution 1: Disable Sequence Verification

Disable Sequence Verification, by changing "Sequence Verifier" action to "Inactive" and "TCP Out of Sequence" action to "Detect".

 

Solution 2: Use Initial Sequence Number (ISN) Spoofing

Customers who require sequence verification may use the "Initial Sequence Number (ISN) Spoofing" IPS protection to mitigate the attack. The "Minimal ISN entropy" parameter should be set to "32".
The paper assumes that the ISN has 24-bit entropy, which yields a 225 TCP sequence number space that should be searched for a valid sequence number (refer to the paper for explanation). ISN Spoofing protection will increase the search space to 232, or by 27=128 times, which subsequently will increase time and bandwidth requirements of the attack by 128 times.


This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000