1 00:00:01,330 --> 00:00:06,670 We already know that the RAFC standard describes a TCAP session establishment as a process that requires 2 00:00:06,670 --> 00:00:10,290 sending four packets. 3 00:00:10,460 --> 00:00:15,760 Please note that having received the second H.K. packet the server should be silent. 4 00:00:18,990 --> 00:00:25,020 In practice computer systems and we're not talking here only about the TCAP implementation and operating 5 00:00:25,020 --> 00:00:29,320 systems but also in network devices would behave differently. 6 00:00:33,010 --> 00:00:37,870 The initiator would send a packet with its own initial sequence number. 7 00:00:37,910 --> 00:00:44,310 The server would respond with an AC K packet increasing the acknowledgement number. 8 00:00:44,460 --> 00:00:50,910 The client would silently accept the UK packet up to this point everything would happen normally at 9 00:00:50,910 --> 00:00:55,050 this point the server would send to the initiator the third packet. 10 00:00:55,050 --> 00:01:03,470 That is its own send packet with a pseudo random sequence number and a valid acknowledgement number. 11 00:01:03,720 --> 00:01:10,400 Instead of sending the AC K packet to end the whole process as is described in the RAFC standard éclat 12 00:01:10,440 --> 00:01:14,540 would now send this in a S.K. packet. 13 00:01:14,660 --> 00:01:21,990 The sequence number would get sent once again and the acknowledgement number would be increased by 1. 14 00:01:22,100 --> 00:01:28,600 The server would respond to a sin k packet in accordance with the standard by sending in a UK packet 15 00:01:29,880 --> 00:01:33,020 with the TCAP session would already have been established. 16 00:01:35,110 --> 00:01:39,490 The problem was however that from this moment the direction of the session would be reversed. 17 00:01:43,250 --> 00:01:48,030 So it would look as if the server had connected to the client and not the other way around. 18 00:01:49,600 --> 00:01:53,090 The direction of the TCAP session would change. 19 00:01:53,100 --> 00:01:59,190 Please remember that modern firewalls and as we'll see in a while intrusion detection systems to are 20 00:01:59,190 --> 00:02:05,570 stateful and that they take into account session direction. 21 00:02:05,710 --> 00:02:11,140 From that moment on it looked as if a trusted computer from inside connected to an untrusted computer 22 00:02:11,140 --> 00:02:13,440 from outside. 23 00:02:13,470 --> 00:02:17,980 In reality it was exactly the opposite. 24 00:02:18,010 --> 00:02:27,000 We have yet to mention that the acknowledgement does not affect the way the process unfolds. 25 00:02:27,090 --> 00:02:32,320 You can establish a TCAP session by sending packets in the following sequence sin. 26 00:02:32,480 --> 00:02:34,010 Sin Sin. 27 00:02:34,010 --> 00:02:42,740 AC K and AC K. 28 00:02:42,750 --> 00:02:43,420 Let's summarize. 29 00:02:43,420 --> 00:02:51,370 Now the results of the research conducted by Break Point Systems and SS lab. 30 00:02:51,460 --> 00:02:55,030 It turns out that only one intrusion detection system out of every three. 31 00:02:55,030 --> 00:03:03,740 Tested by the company detected the attacks carried out by the means of reverse TCAP session if the session 32 00:03:03,740 --> 00:03:11,240 was established through or through a handshake all systems tested were able to detect the attack reversing 33 00:03:11,240 --> 00:03:16,790 the session direction for two out of the three systems. 34 00:03:16,840 --> 00:03:22,030 You'd think that the ratio is not bad but the problem was that the system which passed the test successfully 35 00:03:22,030 --> 00:03:29,450 was stateless it didn't analyze session state other high end stateful systems were deceived. 36 00:03:31,710 --> 00:03:38,990 The built in system firewalls of Windows Vista Linux and Apple systems were tested to none of these 37 00:03:38,990 --> 00:03:41,680 firewalls were able to stop the attack. 38 00:03:41,870 --> 00:03:45,580 All of them detected and blocked the hostile activity in a regular session. 39 00:03:50,660 --> 00:03:56,780 A year later the NSA slapped company tested six professional firewalls all of them top of the range 40 00:03:57,350 --> 00:04:02,900 for effectiveness of filtering the data sent in the reverse TCAP sessions. 41 00:04:03,050 --> 00:04:06,360 At that time this problem was already known for more than a year. 42 00:04:08,400 --> 00:04:10,180 Five of the six firewalls. 43 00:04:10,200 --> 00:04:15,920 Theoretically the best ones available did not block the attack by means of the reverse TCAP session. 44 00:04:16,530 --> 00:04:23,500 Although they managed to block it when it happened during a regular session statement summarizing the 45 00:04:23,500 --> 00:04:25,690 tests were quite pessimistic. 46 00:04:26,250 --> 00:04:31,680 They said that the producers of this type of hardware and software perhaps unwittingly misled their 47 00:04:31,680 --> 00:04:34,330 clients. 48 00:04:34,390 --> 00:04:38,250 The products were tested for known threats which was a comfortable situation. 49 00:04:39,450 --> 00:04:43,920 If you produce software designed to detect threats and you would test the software using only known 50 00:04:43,920 --> 00:04:48,510 threats it would probably seem that your software was effective. 51 00:04:48,510 --> 00:04:53,730 The problem is that manufacturers of firewalls and intrusion detection systems cannot know all threats 52 00:04:54,300 --> 00:04:56,790 because every now and then new threats surface 53 00:05:00,020 --> 00:05:04,370 and only recently someone has read the section 3.3 of the RAFC document. 54 00:05:05,460 --> 00:05:09,990 This shows very strongly the computer system administrators should analyze the data that passes through 55 00:05:09,990 --> 00:05:16,680 their systems on their own but it does not mean that they need to on their own resemble and review data 56 00:05:16,710 --> 00:05:25,230 previously divided into many pieces and packets such a solution would be inefficient. 57 00:05:25,310 --> 00:05:31,040 You just have to use a program such as wireshark will examine this program in the remaining part of 58 00:05:31,040 --> 00:05:34,450 this lecture from both the theoretical and practical perspective.