Snort mailing list archives

Re: More TCP Reset Questions

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 01 Mar 2004 14:34:23 -0500

At 02:04 PM 3/1/2004, Josh Berry wrote:

Correct me if I am wrong but won't TCP resets for attacks like worms just
produce more traffic?

I believe you are wrong. If nothing else, the increased traffic isextraordinarily trivial (40 bytes each).

It will just multiply the amount of network traffic
and will not stop the worm as the reset will not make it until the
malicious payload has already hit your server/desktop.

Incorrect. Flexresp works real-time. It will attempt to desynchronize theTCP stream the instant the signature is triggered. Any delay wouldinherently cause flexresp to fail.

In the case of a worm, this means you'll be resetting somewhere in themiddle of the payload transfer. Depending on where in the payload thesignature bytes are, you'll save the bandwidth of transferring theremaining payload.

In terms of bandwidth, even worst-case where it detects at the last byte ofthe transfer, you'll replace the tcp-teardown sequence with a single resetpacket (provided it works).

This is why it is
hard for me to find value in resets except for persistent connection
applications like P2P, Chat, Backdoor's, and Trojan's.


Perhaps because you lack an understanding of how it works.

Flexresp isn't any more valuable against persistent connections thanshort-term connections. Tcp-reset can ONLY work if the reset sequencecompletes before any other packets can pass between the hosts. Once anotherpacket is passed, the sequence number is advanced, and the tcp-reset willbe ignored.

Thus, as long as a tcp session has at least one more packet to the datatransfer after the signature is recognized, tcp-reset is valuable.







-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

More TCP Reset Questions Josh Berry (Mar 01)
- Re: More TCP Reset Questions Bamm Visscher (Mar 01)
- Message not available
  - Re: More TCP Reset Questions Matt Kettler (Mar 01)
    - Re: More TCP Reset Questions Josh Berry (Mar 01)
    - Message not available
    - Re: More TCP Reset Questions Matt Kettler (Mar 01)