Re: TCP Resets

[Jeff Kell <jeff-kell () utc edu>]

twig les wrote:
> --- Josh Berry <josh.berry () netschematics com> wrote:
>
> > I am trying to assess the value of using TCP Resets on Exploit 
> > attacks over TCP such as Blaster and Code Red.  It seems as though 
> > trying to reset these types of connections will just double the
> > amount of network traffic while not stopping the exploit.  Won't
> > the reset reach the machine too late as the IDS is reacting just
> > after the connection is seen?

> That is a band-aid.  The core problem is the infected host. Aside
> from double the traffic it does nothing to fix the core problem, just
> the symptom.  If snort is not inline it may get bogged down enough to
> let a payload pass anyway.

If you issue an RST (assuming inline):
* generates return traffic,
* fakes most scanners into believing port is closed,
* attacker can rapidly continue their attack/scan

If you do not issue an RST, but silently drop:
* no return traffic,
* attacker must wait for timeout,
* scanners assume the port is "filtered"

Inline will indeed not work exactly as expected, the above rules apply 
to strictly inline devices (firewall, iptables, etc).

Jeff



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users