Scenario Solutions

Based on Example 5-1, you can clearly identify ports that are open and closed by the Acknowledgement number and agreed TCP windows sizes. When TCP negotiates a session, the first acknowledgement is typically a random value and an Acknowledgment of 1 is extremely suspicious. Typically, window devices, for example, calculate a random number much higher than 1. When the window size is zero, that means the TCP window size parameter has not been negotiated. In other words, the connection is not permitted. Example 5-3 displays port 53 as being unauthorized or closed as the window size is 0.

Example 5-3 TCP Closed Ports (TCPDUMP Output)

I>10:39:01 181.1.1.100/53 131.108.1.1/41000 ACK 1 Win 0 (May Defragment)

Example 5-4 displays the open and active sessions as the window sizes have been negotiated and there are active segments. TCP ports 80, 3178, and 3179 are opened by the firewall in this organization and passed through the IDS.

Example 5-4 Open TCP Ports

>10

:39

02

181

1

1

100/80 131.108

1.1/21001 ACK 34000 Win 2048

>10

:39

03

181

1

1

100/3176 131.1t

98.1.1/31002 ACK 10000 Win 4096

>10

:39

04

181

1

1

100/3279 131.K

98.1.1 /51001 ACK 11235 Win 4096

Example 5-2 displays a single TCP fragment packet between the outside host with the IP address 181.1.1.100 to the inside routable address 131.108.1.1. This error message indicates a single fragmented TCP packet with the SYN and FIN flags set. This action is indicative that a reconnaissance sweep of your network is in progress. This type of packet indicates an attempt to conceal the TCP port sweep (port 53 in this case, DNS). This may be the prelude to a more serious attack. The security engineer is well advised to immediately note the action and log into Cisco.com and search for the recommended action. For example, you could perform the following actions:

Step 1 Note the Signature IDs. In Example 5-2, they are 3043 and 3050. Step 2 Open an Internet browser.

Step 3 Go to http://www.cisco.com/pcgi-bin/front.x/ipsalerts/ipsalertsHome.pl or search for the latest database of IPS signature IDs.

Step 4 Click the List Signatures by Signature ID link (Cisco.com password required).

Step 5 Locate the signature number following Sig:, 3043 in Example 5-2, in the error message text for more information on the nature of the error and corrective actions to perform.

The log message regarding the TCP half-open connections is another suspicious packet requiring immediate attention. In this case the number of half-open TCP connections has exceeded the high-water mark. There are no known sources that would legitimately generate this traffic pattern, so it is regarded as a form of attack. The recommended action in this case is to block the resource IP address during the course of the investigation to ensure network resources are not depleted and stop legitimate TCP session (that is valid data connections from valid users) becoming active. This sort of attack can be considered a denial of service attack.

Hopefully this simple scenario has shown you the power of the details provided by IDS-enabled devices, the ease of using these devices, and the powerful search engines available at Cisco.com. The error messages are somewhat intuitive and if you come across a difficult question in the exam make sure you apply a commonsense approach. Obviously you will not have Internet access during the exam, so it is safe to assume Cisco will not test your knowledge of every obscure signature or scenario out there, but some common examples are presented in this simple scenario.

Was this article helpful?

0 0
SEO Search Engine Optimization For Beginners

SEO Search Engine Optimization For Beginners

Exploring SEO, or search engine optimization is something that every business owner needs to do if he or she wishes to create a website that is highly effective for their particular needs. SEO is the method of optimizing a website so that it responds better to the search engines. You will make both internal and external changes to the website, or implement these methods from the start, that will increase the amount of traffic that flows to the website from search engines.

Get My Free Ebook


Post a comment