[Snort-users] TCP Reset

Lampe, John W. JWLAMPE at ...1612...
Sun May 20 11:16:53 EDT 2001

>Two follow-up questions on the effectiveness of TCP Reset.
>In an earlier mail John Lampe wrote:
>>It's useless (in some instances, more than useless) against SYN-floods,
>Do you mean that TCP Reset can actually cause potential damage during
>SYN Floods? Could you explain?

sure.  What if you're RSTing SYN's from a spoofed SYN packet?  The SNORT
engine is now *introducing* traffic on 2 networks.  Namely, your network and
the victim network.    

>	>>can it actually prevent the buffer overflow? 
>>Yes, as long as the snort engine can note the signature (shellcode,
>>whatever) and RST the connection before the payload has been delivered.


>Can the RST packet from Snort -which comes after the attack packet(s) - 
>actually nullify the effect of the payload? Doesn't the server socket
>the payload to the application, before it handles the reset? Or am I
>something wrong here? Has anybody actually succeeded RST-ing a buffer

The question is...how large is the buffer?  It's a race.  If the buffer is
large enough (spanning multiple packets), the RST has the potential of
occuring before the actual overflow occurs.  



John Lampe

More information about the Snort-users mailing list