[Snort-users] TCP Resets

Jeff Kell jeff-kell at ...6282...
Fri Feb 27 20:24:13 EST 2004

twig les wrote:
> --- Josh Berry <josh.berry at ...10221...> wrote:
>> I am trying to assess the value of using TCP Resets on Exploit 
>> attacks over TCP such as Blaster and Code Red.  It seems as though 
>> trying to reset these types of connections will just double the
>> amount of network traffic while not stopping the exploit.  Won't
>> the reset reach the machine too late as the IDS is reacting just
>> after the connection is seen?

> That is a band-aid.  The core problem is the infected host. Aside
> from double the traffic it does nothing to fix the core problem, just
> the symptom.  If snort is not inline it may get bogged down enough to
> let a payload pass anyway.

If you issue an RST (assuming inline):
* generates return traffic,
* fakes most scanners into believing port is closed,
* attacker can rapidly continue their attack/scan

If you do not issue an RST, but silently drop:
* no return traffic,
* attacker must wait for timeout,
* scanners assume the port is "filtered"

Inline will indeed not work exactly as expected, the above rules apply 
to strictly inline devices (firewall, iptables, etc).


More information about the Snort-users mailing list