[Snort-users] TCP Resets
jeff-kell at ...6282...
Fri Feb 27 20:24:13 EST 2004
twig les wrote:
> --- Josh Berry <josh.berry at ...10221...> wrote:
>> I am trying to assess the value of using TCP Resets on Exploit
>> attacks over TCP such as Blaster and Code Red. It seems as though
>> trying to reset these types of connections will just double the
>> amount of network traffic while not stopping the exploit. Won't
>> the reset reach the machine too late as the IDS is reacting just
>> after the connection is seen?
> That is a band-aid. The core problem is the infected host. Aside
> from double the traffic it does nothing to fix the core problem, just
> the symptom. If snort is not inline it may get bogged down enough to
> let a payload pass anyway.
If you issue an RST (assuming inline):
* generates return traffic,
* fakes most scanners into believing port is closed,
* attacker can rapidly continue their attack/scan
If you do not issue an RST, but silently drop:
* no return traffic,
* attacker must wait for timeout,
* scanners assume the port is "filtered"
Inline will indeed not work exactly as expected, the above rules apply
to strictly inline devices (firewall, iptables, etc).
More information about the Snort-users