[Snort-users] TCP Reset

Lampe, John W. JWLAMPE at ...1612...
Sat May 19 21:02:48 EDT 2001


>Hi,
Hello.

>What does the group think of the benefits of killing TCP connections, as
>
>available in FLEXRESP, or even the Tcpkill feature in ISS Realsecure?
>
>From what I've understood so far, it's effective against DoS attacks
>like 
>SYN-Flood, and of limited value against buffer overflow attacks; 

It's useless (in some instances, more than useless) against SYN-floods, and
of limited value against buffer overflows.   


>plus,
>it 
>could be abused by the attacker too.
>
>Since the 'Reset' is sent after the attack packet reaches the host, can 
>it actually prevent the buffer overflow? 

Yes, as long as the snort engine can note the signature (shellcode, NOP's,
whatever) and RST the connection before the payload has been delivered.  

>Now, if the malicious code that
>
>gets executed adds a new account (say), wouldn't killing the connection 
>after the event be quite wasted?

>TIA,

>Michael
>Free, encrypted, secure Web-based email at www.hushmail.com

John Lampe




More information about the Snort-users mailing list