firewall defend tcp split-handshake-spoof enable

By default, TCP split handshake spoof attack defense is disabled.

Usage Scenario

In the TCP split handshake, after receiving a SYN packet for requesting a TCP connection from a client, the server sends the ACK and SYN packets to the client separately. After receiving the ACK and SYN packets from the server, the client sends an ACK packet to establish a TCP connection.

During the TCP split handshake, a session is established when the SYN packet from the client reaches the FW. The SYN packet returned by the server matches the session after reaching the FW. Therefore, the FW does not need to execute the security policy for the reverse SYN and directly forwards the packet to the client.

A malicious attacker may change the ack data field value in the SYN packet to 0 and use a new seq. After receiving the SYN packet, the client regards that the server initiates a TCP connection request. As a result, the server becomes "the client" that initiates a TCP connection, and the client becomes "the server" that responds to the TCP connection request by sending the SYN/ACK packet. In this way, data traffic from an extranet to the intranet may evade the content-based security system (such as the IPS and antivirus) detection, causing a TCP split handshake attack.

The FW has the TCP split handshake attack defense function. The function blocks TCP split handshakes and discards the SYN packets matching the reverse session (including the SYN packets carrying data), preventing malicious data injection.

Precautions

After the TCP split handshake attack defense function is enabled, the SYN packets during the normal TCP split handshake are also blocked. Therefore, exercise caution when using the command.