ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: TSM and IP hijacking

2003-07-14 04:52:06
Subject: Re: TSM and IP hijacking
From: Remco Post <r.post AT SARA DOT NL>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Mon, 14 Jul 2003 10:51:35 +0200 
On Mon, 14 Jul 2003 08:42:47 +0200
"Tomá¹ Hrouda Ing." <throuda AT HTD DOT CZ> wrote:

> FW: Tivoli - backupHi all,
> 
> today I obtained this mail (translated) from one of our customer. I am not
> networking guru so much, I only know that IDS is some kind of network
> monitoring and analyzing tool but I don't know exactly what and how the
> IDS sonds working. These messages are reported somewhere on firewall and
> TSM comunication was interpreted as potential hijacking (by customer's
> people). Can you anybody give me some advice what is goung about and what
> to do or tell our customer representatives?
> 

Tell your customer that network backups generate a _lot_ of TCP traffic.
>From that TCP traffic, one could be able to deduce the TCP sequencing
algorithm used (though usually, it's much easier to just 'fingerprint' the
OS used...). They are likely to see these warnings during TSM backups
because:

1- TSM uses multiple sessions to the same service
2- TSM sends out a lot of data

You can tell your customer that this is normal behaviour for TSM, that they
should not worry about clients in their network generating a lot of traffic
to port 1500 (or whatever) of your TSM server. If they have their systems
up-to-date and did not change the TCP sequencing algorithm used, they are
ok.


> Any help will be appreciate.
> Tomas
> 
>  -----Original Message-----
> Sent: Thursday, July 10, 2003 9:58 AM
> Subject: Tivoli - backup
> 
>           During backup by TSM we obtained this messages from IDS sonds: 
>           IP
> hijacking allows attackers to execute commands into someone's session
> (TCP_Hijacking_Tool)
>    We know that it is not hijacking, but it is not standard behavior. Can
>    we
> do something with TSM comunications to get it out?
> 
> 
>    This is detailed view of problem:
> 
>   IP hijacking allows attackers to execute commands into someone's session
> (TCP_Hijacking_Tool)
> 
>   About this signature or vulnerability
> 
>   RealSecure Server Sensor, RealSecure Network Sensor:
> 
>   This signature detects the use of a TCP hijacking tool on your network.
> This indicates an attacker's attempt to determine the TCP sequence and
> acknowledgement numbers that two hosts are using in a communication
> session.
> 
>   False positives </false_positive.htm>
> 
>   RealSecure Network Sensor, RealSecure Server Sensor: Though unlikely, it
> is possible that a random TCP packet might show the same pattern as used
> by a hijacking tool. It is important to examine the context in which this
> event is seen.
> 
>   Default risk level
> 
>   High
> 
>   Sensors that have this signature
> 
>   RealSecure Server Sensor: 7.0, RealSecure Network Sensor: 7.0,
>   RealSecure
> Network Sensor: 2.5, RealSecure Server Sensor: 5.5
> 
>   Systems affected
> 
>   Any application: Any version
> 
>   Type
> 
>   Suspicious Activity
> 
>   Vulnerability description
> 
>   A number of publicly available tools exist to facilitate the hijacking
>   of
> TCP sessions. Using such tools, an attacker can determine the TCP sequence
> and acknowledgement numbers that two hosts are using in a communication
> session. This information could enable the attacker to take over the
> legitimate network connection of an authorized user and inject commands
> into the session. This is particularly serious because most forms of
> one-time passwords do not prevent this access.
> 
>   Most of these hijacking tools generate specific packets that can be
> detected by an intrusion detection system.
> 
>   How to remove this vulnerability
> 
>   Use encrypted IP or encrypted login programs if possible, and contact
>   your
> vendor for patches to correct TCP sequence prediction vulnerabilities.
> 
>   References
> 
>   CERT Advisory CA-1995-01
>   IP Spoofing Attacks and Hijacked Terminal Connections
>   <http://www.cert.org/advisories/CA-1995-01.html>
> 
>   ISS X-Force
>   IP hijacking allows attackers to execute commands into someone's session
>   <http://www.iss.net/security_center/static/629.php>
> 
> 
> 
> 
>   Jirka Havelka


-- 
Met vriendelijke groeten,

Remco Post

SARA - Stichting Academisch Rekencentrum Amsterdam    http://www.sara.nl
High Performance Computing  Tel. +31 20 592 8008    Fax. +31 20 668 3167

"I really didn't foresee the Internet. But then, neither did the computer
industry. Not that that tells us very much of course - the computer industry
didn't even foresee that the century was going to end." -- Douglas Adams
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Antwort: Re: auditdb fix=yes loop?, Schmitz Garnebode
Next by Date:  db restore, Thando Ndaba
Previous by Thread:  TSM and IP hijacking, Tomáš Hrouda Ing.
Next by Thread:  Re: TSM and IP hijacking, Richard Sims
Indexes:  [Date] [Thread] [Top] [All Lists]