ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

TSM and IP hijacking

2003-07-14 02:43:45
Subject: TSM and IP hijacking
From: "Tomáš Hrouda Ing." <throuda AT HTD DOT CZ>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Mon, 14 Jul 2003 08:42:47 +0200 
FW: Tivoli - backupHi all,

today I obtained this mail (translated) from one of our customer. I am not
networking guru so much, I only know that IDS is some kind of network
monitoring and analyzing tool but I don't know exactly what and how the IDS
sonds working. These messages are reported somewhere on firewall and TSM
comunication was interpreted as potential hijacking (by customer's people).
Can you anybody give me some advice what is goung about and what to do or
tell our customer representatives?

Any help will be appreciate.
Tomas

 -----Original Message-----
Sent: Thursday, July 10, 2003 9:58 AM
Subject: Tivoli - backup

          During backup by TSM we obtained this messages from IDS sonds:  IP
hijacking allows attackers to execute commands into someone's session
(TCP_Hijacking_Tool)
   We know that it is not hijacking, but it is not standard behavior. Can we
do something with TSM comunications to get it out?


   This is detailed view of problem:

  IP hijacking allows attackers to execute commands into someone's session
(TCP_Hijacking_Tool)

  About this signature or vulnerability

  RealSecure Server Sensor, RealSecure Network Sensor:

  This signature detects the use of a TCP hijacking tool on your network.
This indicates an attacker's attempt to determine the TCP sequence and
acknowledgement numbers that two hosts are using in a communication session.

  False positives </false_positive.htm>

  RealSecure Network Sensor, RealSecure Server Sensor: Though unlikely, it
is possible that a random TCP packet might show the same pattern as used by
a hijacking tool. It is important to examine the context in which this event
is seen.

  Default risk level

  High

  Sensors that have this signature

  RealSecure Server Sensor: 7.0, RealSecure Network Sensor: 7.0, RealSecure
Network Sensor: 2.5, RealSecure Server Sensor: 5.5

  Systems affected

  Any application: Any version

  Type

  Suspicious Activity

  Vulnerability description

  A number of publicly available tools exist to facilitate the hijacking of
TCP sessions. Using such tools, an attacker can determine the TCP sequence
and acknowledgement numbers that two hosts are using in a communication
session. This information could enable the attacker to take over the
legitimate network connection of an authorized user and inject commands into
the session. This is particularly serious because most forms of one-time
passwords do not prevent this access.

  Most of these hijacking tools generate specific packets that can be
detected by an intrusion detection system.

  How to remove this vulnerability

  Use encrypted IP or encrypted login programs if possible, and contact your
vendor for patches to correct TCP sequence prediction vulnerabilities.

  References

  CERT Advisory CA-1995-01
  IP Spoofing Attacks and Hijacked Terminal Connections
  <http://www.cert.org/advisories/CA-1995-01.html>

  ISS X-Force
  IP hijacking allows attackers to execute commands into someone's session
  <http://www.iss.net/security_center/static/629.php>




  Jirka Havelka
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: auditdb fix=yes loop?, Oscar Kolsteren
Next by Date:  Antwort: Re: auditdb fix=yes loop?, Schmitz Garnebode
Previous by Thread:  auditdb fix=yes loop?, Lawrence Clark
Next by Thread:  Re: TSM and IP hijacking, Remco Post
Indexes:  [Date] [Thread] [Top] [All Lists]