Snort mailing list archives
Re: More TCP Reset Questions
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 01 Mar 2004 14:34:23 -0500
At 02:04 PM 3/1/2004, Josh Berry wrote:
Correct me if I am wrong but won't TCP resets for attacks like worms just produce more traffic?
I believe you are wrong. If nothing else, the increased traffic is extraordinarily trivial (40 bytes each).
It will just multiply the amount of network traffic and will not stop the worm as the reset will not make it until the malicious payload has already hit your server/desktop.
Incorrect. Flexresp works real-time. It will attempt to desynchronize the TCP stream the instant the signature is triggered. Any delay would inherently cause flexresp to fail.
In the case of a worm, this means you'll be resetting somewhere in the middle of the payload transfer. Depending on where in the payload the signature bytes are, you'll save the bandwidth of transferring the remaining payload.
In terms of bandwidth, even worst-case where it detects at the last byte of the transfer, you'll replace the tcp-teardown sequence with a single reset packet (provided it works).
This is why it is hard for me to find value in resets except for persistent connection applications like P2P, Chat, Backdoor's, and Trojan's.
Perhaps because you lack an understanding of how it works.Flexresp isn't any more valuable against persistent connections than short-term connections. Tcp-reset can ONLY work if the reset sequence completes before any other packets can pass between the hosts. Once another packet is passed, the sequence number is advanced, and the tcp-reset will be ignored.
Thus, as long as a tcp session has at least one more packet to the data transfer after the signature is recognized, tcp-reset is valuable.
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More TCP Reset Questions Josh Berry (Mar 01)
- Re: More TCP Reset Questions Bamm Visscher (Mar 01)
- Message not available
- Re: More TCP Reset Questions Matt Kettler (Mar 01)
- Re: More TCP Reset Questions Josh Berry (Mar 01)
- Message not available
- Re: More TCP Reset Questions Matt Kettler (Mar 01)
- Re: More TCP Reset Questions Matt Kettler (Mar 01)