[Snort-users] TCP Reset
Lampe, John W.
JWLAMPE at ...1612...
Sun May 20 11:16:53 EDT 2001
>Two follow-up questions on the effectiveness of TCP Reset.
>In an earlier mail John Lampe wrote:
>>It's useless (in some instances, more than useless) against SYN-floods,
>Do you mean that TCP Reset can actually cause potential damage during
>SYN Floods? Could you explain?
sure. What if you're RSTing SYN's from a spoofed SYN packet? The SNORT
engine is now *introducing* traffic on 2 networks. Namely, your network and
the victim network.
> >>can it actually prevent the buffer overflow?
>>Yes, as long as the snort engine can note the signature (shellcode,
>>whatever) and RST the connection before the payload has been delivered.
>Can the RST packet from Snort -which comes after the attack packet(s) -
>actually nullify the effect of the payload? Doesn't the server socket
>the payload to the application, before it handles the reset? Or am I
>something wrong here? Has anybody actually succeeded RST-ing a buffer
The question is...how large is the buffer? It's a race. If the buffer is
large enough (spanning multiple packets), the RST has the potential of
occuring before the actual overflow occurs.
More information about the Snort-users