TCP Hijack / TCP Hijack Simplex Mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2006 08:40 AM - edited 03-10-2019 03:17 AM
Hi,
My NIDS is reporting a lot of TCP Hijacks. I have a fault tolerant hosting environment running transactional websites and most of the source addresses are my webservers 1.1.1.x and the destination addresses are my SQL servers 1.1.2.x with the odd destination being 0.0.0.0. There are also a few global addresses that at most trigger 8 Alarm Counts
I've looked around and can't find much on this and the Cisco NSDb only states "The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event."
Can anyone shed more light on this?
Thanks in advance
Damian Coverly
- Labels:
-
IPS and IDS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2006 05:53 PM
Hi Damian,
The signatures look for a number of "old ACK's" those which are already seen by the sensor.
To look into this further I would recommend capturing some traffic to see what the host is exactly doing on the network. Are they firing off random ACK's alone? Is there a pattern in the sequence numbers its using? Or is this simply some latency or how the application may behave.
The destination 0.0.0.0 indicates this is a summarized event.
-jonathan
