TCP Segment Overwrite

Unanswered Question
Feb 2nd, 2007

I've been reveiving events in my network firing the Signature 1300 TCP Segment Overwrite.

What is the cause of this firing? Could anyone tell me the potential danger of this in my net? Does anyone recommend a filter between inside sources and destinations?

Thank you,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nicksmi Fri, 02/02/2007 - 12:58

For an answer, I refer you to the MySDN entry for this signature:

http://tools.cisco.com/MySDN/Intelligence/viewThreat.x?threatId=3840

Which says, "TCP streams are broken up into units called segments for transportation across the network, and TCP segments are encapsulated into IP packets. When received by a remote host in a TCP conversation, the segments are buffered from the network and then reassembled into a stream, which are passed to the controlling application. By manipulating the way in which a TCP stream is segmented, it is possible to evade detection by some firewalls and intrusion detection systems. The technique is to overwrite a portion of a previous segment in a stream with new data in a subsequent segment. This method allows an attacker to hide, or obfuscate, their attack on the network. Overwriting TCP segments is allowed by the TCP protocol, but it does not usually occur in normal network traffic and should be considered suspicious."

mhellman Fri, 02/02/2007 - 15:09

We see lots of these internally. The ones I've investigated appeared to be misbehaving apps or clients and have not been malicious. You can't really see what the sig is checking for, but in the traces I looked at there were a lot of tcp segments out of order and duplicates.

One theory I have regarding these, especially if you are correct and it detects duplicates, is that if, like us, you're sending an IPS unit traffic streams from multiple sources and the traffic happens to traverse both sources, it may be seen as duplicate segments when it's really two copies of the same traffic being forwarded to IPS.

Anonymous (not verified) Mon, 03/05/2007 - 20:35

Actions

This Discussion