Once the hacker has an idea that the device is a Cisco router, he can use a process called TCP fingerprinting to determine what version of IOS it is running.

Whenever a Cisco receives a TCP SYN request on port 1999, it responds with an RST/ACK packet that contains the word "cisco" in its payload. A countermeasure to this is to block requests to port 1999 by typing the following command in the access control list:

access-list 101 deny tcp any any eq 1999 log