[Snort-users] TCP Resets

Jeff Kell jeff-kell at ...6282...
Fri Feb 27 20:24:13 EST 2004


twig les wrote:
> --- Josh Berry <josh.berry at ...10221...> wrote:
> 
>> I am trying to assess the value of using TCP Resets on Exploit 
>> attacks over TCP such as Blaster and Code Red.  It seems as though 
>> trying to reset these types of connections will just double the
>> amount of network traffic while not stopping the exploit.  Won't
>> the reset reach the machine too late as the IDS is reacting just
>> after the connection is seen?

> That is a band-aid.  The core problem is the infected host. Aside
> from double the traffic it does nothing to fix the core problem, just
> the symptom.  If snort is not inline it may get bogged down enough to
> let a payload pass anyway.

If you issue an RST (assuming inline):
* generates return traffic,
* fakes most scanners into believing port is closed,
* attacker can rapidly continue their attack/scan

If you do not issue an RST, but silently drop:
* no return traffic,
* attacker must wait for timeout,
* scanners assume the port is "filtered"

Inline will indeed not work exactly as expected, the above rules apply 
to strictly inline devices (firewall, iptables, etc).

Jeff





More information about the Snort-users mailing list