Which says, "TCP streams are broken up into units called segments for transportation across the network, and TCP segments are encapsulated into IP packets. When received by a remote host in a TCP conversation, the segments are buffered from the network and then reassembled into a stream, which are passed to the controlling application. By manipulating the way in which a TCP stream is segmented, it is possible to evade detection by some firewalls and intrusion detection systems. The technique is to overwrite a portion of a previous segment in a stream with new data in a subsequent segment. This method allows an attacker to hide, or obfuscate, their attack on the network. Overwriting TCP segments is allowed by the TCP protocol, but it does not usually occur in normal network traffic and should be considered suspicious."
We see lots of these internally. The ones I've investigated appeared to be misbehaving apps or clients and have not been malicious. You can't really see what the sig is checking for, but in the traces I looked at there were a lot of tcp segments out of order and duplicates.
One theory I have regarding these, especially if you are correct and it detects duplicates, is that if, like us, you're sending an IPS unit traffic streams from multiple sources and the traffic happens to traverse both sources, it may be seen as duplicate segments when it's really two copies of the same traffic being forwarded to IPS.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...