Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: block connections in IPS]

From: Jeff Nathan <jeff () snort org>
Date: Thu, 2 Oct 2003 13:37:07 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Thursday, October 2, 2003, at 11:56 AM, Geoff wrote:


OOO now we are getting heated :)
While Flex-Response may not be reliable in snort... (which I may argue but not today) active response features are available in "other" IDSs and can provide protection from attacks that a firewall would never see. Granted a good application firewall may do the job. But on a fast link with lots of 
sessions an application firewall can not keep up with the session
establishment rate (20kps @ our university).
I can't remember how many Resets get sent out when the Flex_RESP piece is being used. However, other vendors send 100 resets in each direction in an effort to spoof the correct sequence number. Lots of small (usually fragmented) packets can easily generate 100 packets before the reset reaches the remote host however it is much harder to beat the resets headed toward the local host. It's a race condition on both sides of the connection but your local network is usually faster than the Internet. Tearing down the local connection (internal network) but not the remote connection some say is a feature but that is also a debate for another email :)
Sending 100 resets is a perfect way for an attacker to turn your active response mechanism into a DoS amplifier. I have no doubt every pitfall has been fallen into by various vendors. Active response mechanisms should, at a minimum, know which packets never to respond to.
There's little value sending TCP resets to the sending host. The sending host might be configured to ignore TCP resets from the destination IP address in which case they would serve no purpose. Instead, an effective mechanism is to send several resets to the receiving TCP, pre-adjusted to take into account any data that would have shifted the ACK number, with an incrementing ACK number to compensate for ACK number consumption. Sending 100 active response packets is a sure-fire way to block other NIDS subcomponents and miss attacks.
There is one case in which sending TCP resets to the sending host is valuable. In the case of attack response rules, where a host has been compromised and Snort is looking for a response from the compromised host to the attacking system, sending a TCP reset to the sender is valuable.
Fragmented IP packets are a rare occurrence with TCP, and fragmented TCP segments will be queued both by the receiving TCP and by Snort's TCP stream reassembler. Modern TCP/IP stacks are designed to optimize the overhead of ACKing data. 

[...]


Nothing like a good conversation over some coffee :)
Geoff
Dug Song's tcpkill application, part of the dsniff suite, was referenced while developing sp_respond2. Sp_respond2 sends a maximum of ten responses to brute-force a TCP connection into an unusable state. By default it sends three TCP resets. 

- -Jeff

- --
Top security experts.  Cutting edge tools, techniques and information.
Tokyo, Japan   November, 2003   http://www.pacsec.jp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/fGJKEqr8+Gkj0/0RAjCnAKDFMd/1t4YxvxYyoj7mjy5/4mkuwgCfcTsW
Ccif+DFIBZJOxfiY+BzZRNk=
=6iJ9
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: