Snort mailing list archives

TCP Reset

From: michael.porter () hushmail com
Date: Sat, 19 May 2001 14:51:21 -0500 (EDT)

Hi,

What does the group think of the benefits of killing TCP connections, as 
available in FLEXRESP, or even the Tcpkill feature in ISS Realsecure?

From what I've understood so far, it's effective against DoS attacks like

SYN-Flood, and of limited value against buffer overflow attacks; plus, it 
could be abused by the attacker too.

Since the 'Reset' is sent after the attack packet reaches the host, can 
it actually prevent the buffer overflow? Now, if the malicious code that 
gets executed adds a new account (say), wouldn't killing the connection 
after the event be quite wasted?

TIA,

Michael
Free, encrypted, secure Web-based email at www.hushmail.com

Current thread:

TCP Reset michael . porter (May 19)
- <Possible follow-ups>
- RE: TCP Reset Frank Knobbe (May 19)
- RE: TCP Reset Lampe, John W. (May 19)
- RE: TCP Reset michael . porter (May 20)
  - Re: TCP Reset Andreas Hasenack (May 20)
- RE: TCP Reset Lampe, John W. (May 20)
- RE: TCP Reset michael . porter (May 20)
- RE: TCP Reset Erik Engberg (May 22)