Solved: Zero window Probe

kiran.raj1 · ‎01-24-2011

Hi All,

I have observed Zero Windows Probe events and its default action says "Modify Packet" . Please let me know what will be exact action taken by IPS as i need to thoroughly understand it. Please guide me.

Regards

Kiran

Christopher Dreier · ‎01-27-2011

Hello Kiran,

The Modify Packet Inline action of signature 1317.0 removes data from the Zero-Window Probe packet.

RFCs 793/1122 allow no data, 1 byte of data, or even a complete data packet in the Zero-Window Probe. If the window opens while the packet is in transit, the receiving end can accept the data.Since the IPS has no way of knowing if the data will be accepted on the receiving end or not, it removes the data. The IPS forces the packet to be a legitimate zero window probe, and removes the possible ambiguity about what data has been processed. Zero window probes are not malicious. The signature exist as a way to control the normalizer behaviour. The behaviour is required so that the normalizer can maintain proper stream state.

Disabling this signature can cause the normalizer to false positive in the following scenario:

Client Server

------------------Syn>

-------------------ACK>

---------ZeroWindow>

If the receiver window opens while the above ZWP packet is in flight, the client will accept the packet, Normalizer will have ignored it, and the normalizer is then out of sync with the stream. The Normalizer will then start producing false alarms.

If signature 1317.0 is enabled, all of the data will be stripped out of the ZeroWindowProbe and there is no potential ambiguity.

Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

View solution in original post

Christopher Dreier · ‎01-27-2011

Hello Kiran,

The Modify Packet Inline action of signature 1317.0 removes data from the Zero-Window Probe packet.

RFCs 793/1122 allow no data, 1 byte of data, or even a complete data packet in the Zero-Window Probe. If the window opens while the packet is in transit, the receiving end can accept the data.Since the IPS has no way of knowing if the data will be accepted on the receiving end or not, it removes the data. The IPS forces the packet to be a legitimate zero window probe, and removes the possible ambiguity about what data has been processed. Zero window probes are not malicious. The signature exist as a way to control the normalizer behaviour. The behaviour is required so that the normalizer can maintain proper stream state.

Disabling this signature can cause the normalizer to false positive in the following scenario:

Client Server

------------------Syn>

-------------------ACK>

---------ZeroWindow>

If the receiver window opens while the above ZWP packet is in flight, the client will accept the packet, Normalizer will have ignored it, and the normalizer is then out of sync with the stream. The Normalizer will then start producing false alarms.

If signature 1317.0 is enabled, all of the data will be stripped out of the ZeroWindowProbe and there is no potential ambiguity.

Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series