Snort mailing list archives
RE: TCP Reset
From: "Lampe, John W." <JWLAMPE () GAPAC com>
Date: Sun, 20 May 2001 11:16:53 -0400
Two follow-up questions on the effectiveness of TCP Reset. In an earlier mail John Lampe wrote:It's useless (in some instances, more than useless) against SYN-floods,Do you mean that TCP Reset can actually cause potential damage during some SYN Floods? Could you explain?
sure. What if you're RSTing SYN's from a spoofed SYN packet? The SNORT engine is now *introducing* traffic on 2 networks. Namely, your network and the victim network.
>>can it actually prevent the buffer overflow?Yes, as long as the snort engine can note the signature (shellcode, NOP's, whatever) and RST the connection before the payload has been delivered.
Can the RST packet from Snort -which comes after the attack packet(s) - actually nullify the effect of the payload? Doesn't the server socket pass the payload to the application, before it handles the reset? Or am I getting something wrong here? Has anybody actually succeeded RST-ing a buffer overflow?
The question is...how large is the buffer? It's a race. If the buffer is large enough (spanning multiple packets), the RST has the potential of occuring before the actual overflow occurs.
Thanks,
Michael
John Lampe _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Reset michael . porter (May 19)
- <Possible follow-ups>
- RE: TCP Reset Frank Knobbe (May 19)
- RE: TCP Reset Lampe, John W. (May 19)
- RE: TCP Reset michael . porter (May 20)
- Re: TCP Reset Andreas Hasenack (May 20)
- RE: TCP Reset Lampe, John W. (May 20)
- RE: TCP Reset michael . porter (May 20)
- RE: TCP Reset Erik Engberg (May 22)