Re: Network hardware IPS

From: Cory Stoker (cstoker_at_latis.com)
Date: 09/30/03 

Date: Tue, 30 Sep 2003 10:52:20 -0600
To: Alvin Wong <alvin.wong@b2b.com.my>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alvin Wong wrote:

<snip>

|
|Also, my question to any is the following
|"One note of caution on TCP Reset is not a preferred method of blocking
|attacks according to some security experts. " Alan Shimel
|
|Why isn't TCP reset a preferred method of blocking?
|
|Regards,
|Alvin
|
<snip>

Hi:

The main reason that TCP resets are not a preferred method of blocking
is it is not Guaranteed to be successful. I quote below:

" In our tests, snort (v 1.8.4 and beta v. 1.9.1) does not always kill
the HTTP connection using the RST and/or ICMPs. In most of the cases
connection is reset and sometimes it remains running and the file (dummy
" cmd.exe" placed on Apache web server) is successfully downloaded. The
possible explanation is that RST arrives too late for the connection to
be reset since the response from server comes earlier with the right
sequence number. The delayed RST is then discarded. Thus RST/ICMP is not
a reliable security mechanism (exactly as claimed in the snort
documentation)." -- Anton Chuvakin, Ph.D.

Also many attacks are too short for a TCP reset to be effective or the
attacker could change his IP stack to disregard the TCP reset.

Thanks,
- --

Cory Stoker
Security Engineer
Latis Networks, Inc.

www.stillsecure.com
Reducing your risk has never been this easy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/ebS7I1eg/VOfA8oRAgkgAJ0SYnU+qN7/VOWBSWEMabYY3LET1ACaAnbr
VAOjkGF7vl3cmy9wy0XrU4Y=
=ys9M
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------

Relevant Pages

  • RE: Active response... some thoughts.
    ... monitored over the years the only real use of TCP reset that was useful ... Blade Software - Because Real Attacks Hurt ... a TCP RST would provide no value. ... RST is largely a marketing solution, ...
    (Focus-IDS)
  • Re: Network hardware IPS
    ... Thanks for the information, Cory, that was really insightful. ... > |Why isn't TCP reset a preferred method of blocking? ... Captus Networks IPS 4000 ... - Instantly Stop DoS/DDoS Attacks, ...
    (Focus-IDS)
  • Re: How to stop OE6 from multithreading on the news server? - another problem
    ... Hi Robert... ... While I chew on your latest reply, do you think "TCP Reset ... Attacks" might have something to do with this? ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)