Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

TCP Hijack / TCP Hijack Simplex Mode

Hi,

My NIDS is reporting a lot of TCP Hijacks. I have a fault tolerant hosting environment running transactional websites and most of the source addresses are my webservers 1.1.1.x and the destination addresses are my SQL servers 1.1.2.x with the odd destination being 0.0.0.0. There are also a few global addresses that at most trigger 8 Alarm Counts

I've looked around and can't find much on this and the Cisco NSDb only states "The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event."

Can anyone shed more light on this?

Thanks in advance

Damian Coverly

1 REPLY
New Member

Re: TCP Hijack / TCP Hijack Simplex Mode

Hi Damian,

The signatures look for a number of "old ACK's" those which are already seen by the sensor.

To look into this further I would recommend capturing some traffic to see what the host is exactly doing on the network. Are they firing off random ACK's alone? Is there a pattern in the sequence numbers its using? Or is this simply some latency or how the application may behave.

The destination 0.0.0.0 indicates this is a summarized event.

-jonathan

271
Views
0
Helpful
1
Replies
CreatePlease to create content