cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
596
Views
0
Helpful
1
Replies

TCP Hijack / TCP Hijack Simplex Mode

electoralreform
Level 1
Level 1

Hi,

My NIDS is reporting a lot of TCP Hijacks. I have a fault tolerant hosting environment running transactional websites and most of the source addresses are my webservers 1.1.1.x and the destination addresses are my SQL servers 1.1.2.x with the odd destination being 0.0.0.0. There are also a few global addresses that at most trigger 8 Alarm Counts

I've looked around and can't find much on this and the Cisco NSDb only states "The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event."

Can anyone shed more light on this?

Thanks in advance

Damian Coverly

1 Reply 1

jlimbo
Level 1
Level 1

Hi Damian,

The signatures look for a number of "old ACK's" those which are already seen by the sensor.

To look into this further I would recommend capturing some traffic to see what the host is exactly doing on the network. Are they firing off random ACK's alone? Is there a pattern in the sequence numbers its using? Or is this simply some latency or how the application may behave.

The destination 0.0.0.0 indicates this is a summarized event.

-jonathan

Review Cisco Networking for a $25 gift card