Re: TCP Segment Overwrite - IDSM2 with IPS5.1(1d)

yvasanthk · ‎03-25-2006

Hi,

I have an IDSM2 running IPS5.1(1d)S220 upgraded recently from 4.x. My network has windows desktops (spanned on multiple subnets) whose default gateway is a Cisco 6500 FWSM module.

Since I upgraded to IPS 5.x, I am seeing lots and lots of TCP Hijack and TCP Segment Overwrite alarms. The source addresses of these alarms are my windows PCs, destination addresses are Windows 2003 servers..Sometimes, the destination address is 0.0.0.0 and ports are empty.

It is difficult to ignore so many alarms unless there is a technical explanation to see if the placement of FWSM is causing IPS to treat this as a threat.

Can someone help me to get out of this issue?

bitterman · ‎03-25-2006

The 0.0.0.0 with 0 ports are the summary alerts - it fired x times in the last minute etc

darin.marais · ‎03-30-2006

I found this on a previously written thread. I cannot find the thread anymore. All credit is given to the message owner. i hope the reply helps.

mlhall of - CISCO SYSTEMS wrote:

Oct 6, 2003, 11:06am PST

I have several packet traces from several customers that see this alert. There appears to be a bug in the microsoft TCP stack when connections go stale. What happens is that the last successful segment's last byte is resent with a value of 0xff. This is after the other endhost has ACK'ed the sequence from the last segments.

So for example.

a->b seq=100 data="ABCDEFG"

b->a ack=107 no data

a->b seq=106 data="(0xff)"

The last packet in the example is overwriting the G in the first packet with an 0xff. This causes the IDS to fire. We are working on detecting this stack bug in a new version.