RE: TCP Reset

["Lampe, John W." <JWLAMPE () GAPAC com>]

> Two follow-up questions on the effectiveness of TCP Reset.
>
> In an earlier mail John Lampe wrote:
> > It's useless (in some instances, more than useless) against SYN-floods,
>
>
> Do you mean that TCP Reset can actually cause potential damage during
> some 
> SYN Floods? Could you explain?

sure.  What if you're RSTing SYN's from a spoofed SYN packet?  The SNORT
engine is now *introducing* traffic on 2 networks.  Namely, your network and
the victim network.    



>       >>can it actually prevent the buffer overflow? 
> > Yes, as long as the snort engine can note the signature (shellcode,
> > NOP's,
> > whatever) and RST the connection before the payload has been delivered.

 

> Can the RST packet from Snort -which comes after the attack packet(s) - 
> actually nullify the effect of the payload? Doesn't the server socket
> pass 
> the payload to the application, before it handles the reset? Or am I
> getting 
> something wrong here? Has anybody actually succeeded RST-ing a buffer
> overflow?

The question is...how large is the buffer?  It's a race.  If the buffer is
large enough (spanning multiple packets), the RST has the potential of
occuring before the actual overflow occurs.  

> Thanks,

> Michael

John Lampe

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users