[Snort-users] TCP Reset

Lampe, John W. JWLAMPE at ...1612...
Sun May 20 11:16:53 EDT 2001


>Two follow-up questions on the effectiveness of TCP Reset.
>
>In an earlier mail John Lampe wrote:
>>It's useless (in some instances, more than useless) against SYN-floods,
> 
>
>Do you mean that TCP Reset can actually cause potential damage during
>some 
>SYN Floods? Could you explain?

sure.  What if you're RSTing SYN's from a spoofed SYN packet?  The SNORT
engine is now *introducing* traffic on 2 networks.  Namely, your network and
the victim network.    



>	>>can it actually prevent the buffer overflow? 
>>Yes, as long as the snort engine can note the signature (shellcode,
>>NOP's,
>>whatever) and RST the connection before the payload has been delivered.

 

>Can the RST packet from Snort -which comes after the attack packet(s) - 
>actually nullify the effect of the payload? Doesn't the server socket
>pass 
>the payload to the application, before it handles the reset? Or am I
>getting 
>something wrong here? Has anybody actually succeeded RST-ing a buffer
>overflow?

The question is...how large is the buffer?  It's a race.  If the buffer is
large enough (spanning multiple packets), the RST has the potential of
occuring before the actual overflow occurs.  

>Thanks,

>Michael

John Lampe




More information about the Snort-users mailing list