TCP Segment Overwrites

Unanswered Question
Jan 30th, 2009
User Badges:

We're seeing a lot of these alerts in the IPS and MARS. I've made a few packet captures, but have been unable to completely identify the issue.

If I create a packet capture, I see an occasional duplicate ACK, but those same events don't appear to trigger within the IPS.

These are 3 seperate incidents and the logs from each:

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
tstanik Thu, 02/05/2009 - 06:41
User Badges:
  • Bronze, 100 points or more

Make sure that You must enable the desired interfaces (including subinterfaces) on the router for packet monitoring. You can select any number of interfaces or subinterfaces to be monitored. The packets sent and received on these interfaces are forwarded to NM-CIDS for inspection. You enable and disable the interfaces through the router CLI (Cisco IOS).

marcabal Thu, 02/05/2009 - 06:58
User Badges:
  • Cisco Employee,

Does your sensor see the traffic more than once?

A common situation seen in the field is that the sensor may be monitoring traffic on 2 sides of a router or firewall.

So traffic is seen coming from the client as it goes to the router, and then again from the router to the server. And vice versa for traffic from the server to the router.

This double monitoring can sometimes look like an attack is taking place.

If you do have this situation, then the best solution is to monitor each side of the router with a different virtual sensor. This way each virtual sensor only sees one copy of each packet.

This method can be done for both inline and promiscuous deployments.

Some platforms have a 1 virtual sensor limit while others have a 4 virtual sensor limit. If you are monitoring more networks than the number of virtual sensors, then you won't be able to monitor each network with a separate virtual sensor. If you are doing inline monitoring, then there is another option. There is a inline-TCP-session-tracking mode configuration that can be set to "interface-and-vlan". With this setting the virtual sensor will separately track TCP sessions across the 2 or more networks.

If you truly are monitoring just a single network, then the above is unlikely to be your problem.

The packets you've captured, however, are not enough to test the sensor. Your packet captures are only capturing the end of your TCP session.

If you replay them to the sensor, the sensor will likely ignore the packets.

You will need to capture a complete TCP session including the initial SYN packet that starts the connection.


This Discussion