RE: TCP Reset

["Lampe, John W." <JWLAMPE () GAPAC com>]

> Hi,
Hello.

> What does the group think of the benefits of killing TCP connections, as
>
> available in FLEXRESP, or even the Tcpkill feature in ISS Realsecure?
>
> From what I've understood so far, it's effective against DoS attacks
> like 
> SYN-Flood, and of limited value against buffer overflow attacks; 

It's useless (in some instances, more than useless) against SYN-floods, and
of limited value against buffer overflows.   


> plus,
> it 
> could be abused by the attacker too.
>
> Since the 'Reset' is sent after the attack packet reaches the host, can 
> it actually prevent the buffer overflow? 

Yes, as long as the snort engine can note the signature (shellcode, NOP's,
whatever) and RST the connection before the payload has been delivered.  

> Now, if the malicious code that
>
> gets executed adds a new account (say), wouldn't killing the connection 
> after the event be quite wasted?

> TIA,

> Michael
> Free, encrypted, secure Web-based email at www.hushmail.com

John Lampe

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users