Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
5
Helpful
2
Replies

TCP segment Overwrite

mkotova
Level 1
Level 1

‎04-20-2006 01:30 PM - edited ‎03-10-2019 01:59 AM

Recently, I've been seeing a ton of messages on the IPS Event Viewer stating that TCP Segment Overwrites have been detected. The events are from either the IPS-A to our DMZ or vice versa. It just started whenever we added some servers to the network. Does anybody have any suggestions? We traced the packets, it's not hacker related. It seems like maybe a server or app. may be causing the issue. The problem is isolating it. I would appreciate any feedback you could provide. Thanks!

Labels:
0 Helpful
2 Replies 2

smahbub
Level 6
Level 6

‎04-26-2006 10:13 AM

TCP normalization

Through intentional or natural TCP session segmentation, some classes of attacks can be hidden. To make sure policy enforcement can occur with no false positives and false negatives, the state of the two TCP endpoints must be tracked and only the data that is actually processed by the real host endpoints should be passed on. Overlaps in a TCP stream can occur, but are extremely rare except for TCP segment retransmits. Overwrites in the TCP session should not occur. If overwrites do occur, someone is intentionally trying to elude the security policy or the TCP stack implementation is broken. Maintaining full information about the state of both endpoints is not possible unless the sensor acts as a TCP proxy. Instead of the sensor acting as a TCP proxy, the segments will be ordered properly and the normalizer will look for any abnormal packets associated with evasion and attacks.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf52e.html

p.mckay
Level 1
Level 1
In response to smahbub

‎09-20-2006 08:05 AM

Very interesting I have also had to deal with a large number of TCP 1300 events and have never been able to filter out or determine that the offending device is a threat. So I would assume from this comment that to have the IDS act as a Proxy you would have to pass the traffic through the device or just how do you setup the sensor to be a proxy. If changing the configuration is required how does this affect other signatures.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card