cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1357
Views
0
Helpful
3
Replies

TCP Hijack - Insight required to investigate

omhariharan
Level 1
Level 1

Event ID          1363209060027941200

Severity          high

Host ID          XXXX-IPS

Application Name          sensorApp

Event Time          04/03/2013 16:56:55

Sensor Local Time          04/03/2013 11:26:55

Signature ID          3250

Signature Sub-ID          0

Signature Name          TCP Hijack

Signature Version          S667

Signature Details          TCP Hijack

Interface Group          vs0

VLAN ID          20

Interface          ge0_0

Attacker IP          AAAA

Protocol          tcp

Attacker Port          61952

Attacker Locality          OUT

Target IP          BBBB

Target Port          80

Target Locality          OUT

Target OS          unknown unknown (relevant)

Actions          ipLoggingActivated+denyPacketRequestedNotPerformed+logAttackerPacketsActivated+logVictimPacketsActivated

Risk Rating          TVR=medium ARR=relevant

Risk Rating Value          100

Threat Rating          100

Reputation

Context Data

Packet Data          Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2013-04-03 16:56:55.962 ----

Ether:

Ether:   dst =  0:0:c:7:ac:5

Ether:   src =  0:13:c4:4e:2d:bf

Ether: proto =  0x8100 "(VLAN) IEEE 802.1q"

Ether:

VLAN: ---- IEEE802dot1q IEEE=802.1q OSI=2 ----

VLAN:

VLAN: flags = 0000000000010100 20

VLAN:         000............. 0x0 = [priority]

VLAN:         ...0............ 0x0 = [cfi]

VLAN:         ....000000010100 20 = [id]

VLAN:  type =  0x800 "(IP) Internet protocol (v4 or v6)"

VLAN:

IPv4: ---- IPv4 RFC=791 OSI=3 ----

IPv4:

IPv4:      ver =  4 "Internet Protocol version 4"

IPv4:     hlen =  5 (20 bytes) "No IP options present"

IPv4:      tos = 00000000 0x0

IPv4:            000..... 0x0 = [precedence] "Routine"

IPv4:            ...0.... 0x0 = [delay] "Normal delay"

IPv4:            ....0... 0x0 = [throughput] "Normal throughput"

IPv4:            .....0.. 0x0 = [reliability] "Normal reliability"

IPv4:            ......00 0x0 = [reserved]

IPv4:      len =  52 (32 bytes of data)

IPv4:       id =  0x6c1

IPv4:    flags = 010 0x2 (bit fields)

IPv4:            0.. 0x0 = [reserved]

IPv4:            .1. 0x1 = [df] "Do not fragment"

IPv4:            ..0 0x0 = [mf] "no more fragments"

IPv4:   offset =  0 (0 bytes)

IPv4:      ttl =  127 (hops)

IPv4: protocol =  6 "(TCP) Transmition Control Protocol (RFC793)"

IPv4: checksum =  0x40ff

IPv4:    saddr =  AAAA

IPv4:    daddr =  BBBB

IPv4:

TCP: ---- TCP RFC=793 OSI=4 ----

TCP:

TCP: sport =  61952

TCP: dport =  80

TCP:   seq =  2512247734

TCP:   ack =  2410330435

TCP:  hlen =  8 (32 bytes)

TCP:   res =  0

TCP:  code = 010000 0x10

TCP:         0..... 0x0 = [urg]

TCP:         .1.... 0x1 = [ack] "Acknowledgement Field Significant"

TCP:         ..0... 0x0 = [psh]

TCP:         ...0.. 0x0 = [rst]

TCP:         ....0. 0x0 = [syn]

TCP:         .....0 0x0 = [fin]

TCP:   win =  65205 (bytes)

TCP:   crc =  0xb0d2 (CRC-16)

TCP:   urg =  0 (byte offset)

TCP:

TCP: Options: (12 bytes)

TCP:   Opt #1: NOP(1) skipped 1 byte

TCP:   Opt #2: NOP(1) skipped 1 byte

TCP:   Opt #3: SACK Option(5) contains 0 blocks

TCP:

Data: 0000  8f aa be a7 8f ab 8b 7f               ........

Data:

Event Summary          0

Initial Alert

Summary Type

Final Alert

Event Status          New

Event Notes

We got an alert like this. But struggling to find out whether its malignant traffic. Any help would be deeply appreciated

3 Replies 3

_____Adam
Level 1
Level 1

Unfortunately this signature in particular cannot be easily determined from the information in the alert alone.

From the sig description:

"Triggers when both streams of data within a TCP connection indicate that a TCP hijacking may have occurred. The current implementation of this signature does not detect all types of TCP hijacking and false positives may occur. Even when hijacking is discovered, little information is available to the operator other than the source and destination addresses and ports of the systems being affected.  TCP Hijacking may be used to gain illegal access to system resources.

This signature fires upon detecting old, out of sequence ack packets. The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event. If it is successfully launched it could lead to serious consequences, including system compromise. The source of these alarms should be investigated thoroughly before any actions are taken. Recommend security professional consultation to assist in the investigation.

This signature functions in promiscuous mode. However, while monitoring utilizing in-line mode, this signature is automatically disabled due to the protection provided by 1300 series of signatures."

More information is needed to take any action here such as the type of the two machines involved (how are they typically used, are they end user/server machines, etc) and if this attack makes sense in that scenario or if it is likely a false positive from telnet or some sort of other network anomaly.

Thank you Adam. I have already read the signature information.

Any direction as to how to investigate for these kind of packets would be more helpful for me since I'm the security guy here.

This definitely does not look like ordinary browsing traffic. The source was internal ip address and the destination was a public ip address.

This is the first TCP Hijack I have received from this source IP.

If this is a real TCP hijacking attempt then the internal IP is likely spoofed and therefore inaccurate.  The attacker may actually be at another IP address so this complicates investigating the machine itself.

As the sig description says, this signature does have the potential to false positive in some cases so it should only raise concern if you see other sig alerts firing in similar time windows.

Review Cisco Networking for a $25 gift card