IDS mailing list archives

Re: Network hardware IPS

From: Cory Stoker <cstoker () latis com>
Date: Tue, 30 Sep 2003 10:52:20 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Alvin Wong wrote:

<snip>

|
|Also, my question to any is the following
|"One note of caution on TCP Reset is not a preferred method of blocking
|attacks according to some security experts. " Alan Shimel
|
|Why isn't TCP reset a preferred method of blocking?
|
|Regards,
|Alvin
|
<snip>

Hi:

The main reason that TCP resets are not a preferred method of blockingis it is not Guaranteed to be successful. I quote below:

" In our tests, snort (v 1.8.4 and beta v. 1.9.1) does not always killthe HTTP connection using the RST and/or ICMPs. In most of the casesconnection is reset and sometimes it remains running and the file (dummy" cmd.exe" placed on Apache web server) is successfully downloaded. Thepossible explanation is that RST arrives too late for the connection tobe reset since the response from server comes earlier with the rightsequence number. The delayed RST is then discarded. Thus RST/ICMP is nota reliable security mechanism (exactly as claimed in the snortdocumentation)." -- Anton Chuvakin, Ph.D.

Also many attacks are too short for a TCP reset to be effective or theattacker could change his IP stack to disregard the TCP reset.


Thanks,
- --

Cory Stoker
Security Engineer
Latis Networks, Inc.

www.stillsecure.com
Reducing your risk has never been this easy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/ebS7I1eg/VOfA8oRAgkgAJ0SYnU+qN7/VOWBSWEMabYY3LET1ACaAnbr
VAOjkGF7vl3cmy9wy0XrU4Y=
=ys9M
-----END PGP SIGNATURE-----



---------------------------------------------------------------------------
Captus Networks IPS 4000

Intrusion Prevention and Traffic Shaping Technology to:- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans

- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies

FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demohttp://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101

---------------------------------------------------------------------------

Current thread:

Network hardware IPS Alvin Wong (Sep 29)
- RE: Network hardware IPS Alan Shimel (Sep 29)
- Re: Network hardware IPS Andy Cuff [Talisker] (Sep 29)
- Re: Network hardware IPS nick black (Sep 30)
- Re: Network hardware IPS Ravi Kumar (Sep 30)
- <Possible follow-ups>
- RE: Network hardware IPS JAVIER OTERO (Sep 29)
  - Message not available
    - Network hardware IPS Alvin Wong (Sep 30)
    - Re: Network hardware IPS Cory Stoker (Sep 30)
- RE: Network hardware IPS JAVIER OTERO (Sep 30)
- RE: Network hardware IPS travis . alexander (Sep 30)
- RE: Network hardware IPS JAVIER OTERO (Sep 30)
- RE: Network hardware IPS Nimesh Vakharia (Sep 30)
- RE: Network hardware IPS Bob Walder (Sep 30)