Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
1
Replies

TCP Hijack / TCP Hijack Simplex Mode

electoralreform
Level 1
Level 1

‎10-17-2006 08:40 AM - edited ‎03-10-2019 03:17 AM

Hi,

My NIDS is reporting a lot of TCP Hijacks. I have a fault tolerant hosting environment running transactional websites and most of the source addresses are my webservers 1.1.1.x and the destination addresses are my SQL servers 1.1.2.x with the odd destination being 0.0.0.0. There are also a few global addresses that at most trigger 8 Alarm Counts

I've looked around and can't find much on this and the Cisco NSDb only states "The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event."

Can anyone shed more light on this?

Thanks in advance

Damian Coverly

Labels:
0 Helpful
1 Reply 1

jlimbo
Level 1
Level 1

‎10-17-2006 05:53 PM

Hi Damian,

The signatures look for a number of "old ACK's" those which are already seen by the sensor.

To look into this further I would recommend capturing some traffic to see what the host is exactly doing on the network. Are they firing off random ACK's alone? Is there a pattern in the sequence numbers its using? Or is this simply some latency or how the application may behave.

The destination 0.0.0.0 indicates this is a summarized event.

-jonathan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card