Snort mailing list archives
RE: TCP Reset
From: Erik Engberg <Erik.Engberg () cygate se>
Date: Tue, 22 May 2001 13:09:26 +0200
My few cents on TCP kill/reset. Pretty much useless for most DoS, BoF and anything else that can be spoofed. Problem: They can be triggered to annoy a third party network and can waste resources and bandwidth. Besides, you can never ever be sure it's not spoofed to start with and that an attacker will "honor" a reset. You need the IDS to function as a firewall or bridge and intercept the packets to be effective against these kinds of threats. Or use the functionality of Syn defender/Syn gateway/Syn proxy or whatever your firewall vendor calls it. TCP resets can be effective in certain cases: To kill unencrypted established connections like telnet, smtp, ftp etc where a prepetrator tries to do su, sudo, VRFY, EXPN, illegal SITE commands etc. Same goes for "keywords" in URLs, on webpages etc... (I´d recommend to use another app to filter that). Or why not kill backdoor traffic? Or kill unwanted traffic types on an internal net where it's not practical with a firewall (get behind me telnet!) Wan't your machine to ignore resets? filter it out with your favourite firewall (ipfilter in my case) or reconfigure your kernel to not give a damn about them... However, it won't be to helpful as a tcpkill should go to both machines in a connection. //Erik -----Original Message----- From: michael.porter () hushmail com [mailto:michael.porter () hushmail com] Sent: Saturday, May 19, 2001 9:51 PM To: Snort Users Mailing List Subject: [Snort-users] TCP Reset Hi, What does the group think of the benefits of killing TCP connections, as available in FLEXRESP, or even the Tcpkill feature in ISS Realsecure?
From what I've understood so far, it's effective against DoS attacks like
SYN-Flood, and of limited value against buffer overflow attacks; plus, it could be abused by the attacker too. Since the 'Reset' is sent after the attack packet reaches the host, can it actually prevent the buffer overflow? Now, if the malicious code that gets executed adds a new account (say), wouldn't killing the connection after the event be quite wasted? TIA, Michael Free, encrypted, secure Web-based email at www.hushmail.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Reset michael . porter (May 19)
- <Possible follow-ups>
- RE: TCP Reset Frank Knobbe (May 19)
- RE: TCP Reset Lampe, John W. (May 19)
- RE: TCP Reset michael . porter (May 20)
- Re: TCP Reset Andreas Hasenack (May 20)
- RE: TCP Reset Lampe, John W. (May 20)
- RE: TCP Reset michael . porter (May 20)
- RE: TCP Reset Erik Engberg (May 22)