topic TCP Hijack - Insight required to investigate in Network Security

TCP Hijack - Insight required to investigate

omhariharan — Sun, 10 Mar 2019 12:56:19 GMT

Event ID 1363209060027941200

Severity high

Host ID XXXX-IPS

Application Name sensorApp

Event Time 04/03/2013 16:56:55

Sensor Local Time 04/03/2013 11:26:55

Signature ID 3250

Signature Sub-ID 0

Signature Name TCP Hijack

Signature Version S667

Signature Details TCP Hijack

Interface Group vs0

VLAN ID 20

Interface ge0_0

Attacker IP AAAA

Protocol tcp

Attacker Port 61952

Attacker Locality OUT

Target IP BBBB

Target Port 80

Target Locality OUT

Target OS unknown unknown (relevant)

Actions ipLoggingActivated+denyPacketRequestedNotPerformed+logAttackerPacketsActivated+logVictimPacketsActivated

Risk Rating TVR=medium ARR=relevant

Risk Rating Value 100

Threat Rating 100

Reputation

Context Data

Packet Data Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2013-04-03 16:56:55.962 ----

Ether:

Ether: dst = 0:0:c:7:ac:5

Ether: src = 0:13:c4:4e:2d:bf

Ether: proto = 0x8100 "(VLAN) IEEE 802.1q"

Ether:

VLAN: ---- IEEE802dot1q IEEE=802.1q OSI=2 ----

VLAN:

VLAN: flags = 0000000000010100 20

VLAN: 000............. 0x0 = [priority]

VLAN: ...0............ 0x0 = [cfi]

VLAN: ....000000010100 20 = [id]

VLAN: type = 0x800 "(IP) Internet protocol (v4 or v6)"

VLAN:

IPv4: ---- IPv4 RFC=791 OSI=3 ----

IPv4:

IPv4: ver = 4 "Internet Protocol version 4"

IPv4: hlen = 5 (20 bytes) "No IP options present"

IPv4: tos = 00000000 0x0

IPv4: 000..... 0x0 = [precedence] "Routine"

IPv4: ...0.... 0x0 = [delay] "Normal delay"

IPv4: ....0... 0x0 = [throughput] "Normal throughput"

IPv4: .....0.. 0x0 = [reliability] "Normal reliability"

IPv4: ......00 0x0 = [reserved]

IPv4: len = 52 (32 bytes of data)

IPv4: id = 0x6c1

IPv4: flags = 010 0x2 (bit fields)

IPv4: 0.. 0x0 = [reserved]

IPv4: .1. 0x1 = [df] "Do not fragment"

IPv4: ..0 0x0 = [mf] "no more fragments"

IPv4: offset = 0 (0 bytes)

IPv4: ttl = 127 (hops)

IPv4: protocol = 6 "(TCP) Transmition Control Protocol (RFC793)"

IPv4: checksum = 0x40ff

IPv4: saddr = AAAA

IPv4: daddr = BBBB

IPv4:

TCP: ---- TCP RFC=793 OSI=4 ----

TCP:

TCP: sport = 61952

TCP: dport = 80

TCP: seq = 2512247734

TCP: ack = 2410330435

TCP: hlen = 8 (32 bytes)

TCP: res = 0

TCP: code = 010000 0x10

TCP: 0..... 0x0 = [urg]

TCP: .1.... 0x1 = [ack] "Acknowledgement Field Significant"

TCP: ..0... 0x0 = [psh]

TCP: ...0.. 0x0 = [rst]

TCP: ....0. 0x0 = [syn]

TCP: .....0 0x0 = [fin]

TCP: win = 65205 (bytes)

TCP: crc = 0xb0d2 (CRC-16)

TCP: urg = 0 (byte offset)

TCP:

TCP: Options: (12 bytes)

TCP: Opt #1: NOP(1) skipped 1 byte

TCP: Opt #2: NOP(1) skipped 1 byte

TCP: Opt #3: SACK Option(5) contains 0 blocks

TCP:

Data: 0000 8f aa be a7 8f ab 8b 7f ........

Data:

Event Summary 0

Initial Alert

Summary Type

Final Alert

Event Status New

Event Notes

We got an alert like this. But struggling to find out whether its malignant traffic. Any help would be deeply appreciated

TCP Hijack - Insight required to investigate

_____Adam — Wed, 03 Apr 2013 18:17:30 GMT

Unfortunately this signature in particular cannot be easily determined from the information in the alert alone.

From the sig description:

"Triggers when both streams of data within a TCP connection indicate that a TCP hijacking may have occurred. The current implementation of this signature does not detect all types of TCP hijacking and false positives may occur. Even when hijacking is discovered, little information is available to the operator other than the source and destination addresses and ports of the systems being affected. TCP Hijacking may be used to gain illegal access to system resources.

This signature fires upon detecting old, out of sequence ack packets. The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event. If it is successfully launched it could lead to serious consequences, including system compromise. The source of these alarms should be investigated thoroughly before any actions are taken. Recommend security professional consultation to assist in the investigation.

This signature functions in promiscuous mode. However, while monitoring utilizing in-line mode, this signature is automatically disabled due to the protection provided by 1300 series of signatures."

More information is needed to take any action here such as the type of the two machines involved (how are they typically used, are they end user/server machines, etc) and if this attack makes sense in that scenario or if it is likely a false positive from telnet or some sort of other network anomaly.

TCP Hijack - Insight required to investigate

omhariharan — Thu, 04 Apr 2013 05:29:02 GMT

Thank you Adam. I have already read the signature information.

Any direction as to how to investigate for these kind of packets would be more helpful for me since I'm the security guy here.

This definitely does not look like ordinary browsing traffic. The source was internal ip address and the destination was a public ip address.

This is the first TCP Hijack I have received from this source IP.

TCP Hijack - Insight required to investigate

_____Adam — Thu, 04 Apr 2013 19:42:18 GMT

If this is a real TCP hijacking attempt then the internal IP is likely spoofed and therefore inaccurate. The attacker may actually be at another IP address so this complicates investigating the machine itself.

As the sig description says, this signature does have the potential to false positive in some cases so it should only raise concern if you see other sig alerts firing in similar time windows.