Re: Network hardware IPS

From: Alvin Wong (alvin.wong_at_b2b.com.my)
Date: 10/02/03

  • Next message: Ravi Kumar: "Re: Network hardware IPS" 
    To: Cory Stoker <cstoker@latis.com>
Date: 02 Oct 2003 11:25:26 +0800

    Thanks for the information, Cory, that was really insightful.

    Regards,
    Alvin

    On Wed, 2003-10-01 at 00:52, Cory Stoker wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    > Alvin Wong wrote:
    >
    > <snip>
    >
    > |
    > |Also, my question to any is the following
    > |"One note of caution on TCP Reset is not a preferred method of blocking
    > |attacks according to some security experts. " Alan Shimel
    > |
    > |Why isn't TCP reset a preferred method of blocking?
    > |
    > |Regards,
    > |Alvin
    > |
    > <snip>
    >
    > Hi:
    >
    > The main reason that TCP resets are not a preferred method of blocking
    > is it is not Guaranteed to be successful. I quote below:
    >
    > " In our tests, snort (v 1.8.4 and beta v. 1.9.1) does not always kill
    > the HTTP connection using the RST and/or ICMPs. In most of the cases
    > connection is reset and sometimes it remains running and the file (dummy
    > " cmd.exe" placed on Apache web server) is successfully downloaded. The
    > possible explanation is that RST arrives too late for the connection to
    > be reset since the response from server comes earlier with the right
    > sequence number. The delayed RST is then discarded. Thus RST/ICMP is not
    > a reliable security mechanism (exactly as claimed in the snort
    > documentation)." -- Anton Chuvakin, Ph.D.
    >
    > Also many attacks are too short for a TCP reset to be effective or the
    > attacker could change his IP stack to disregard the TCP reset.
    >
    > Thanks,
    > - --
    >
    > Cory Stoker
    > Security Engineer
    > Latis Networks, Inc.
    >
    > www.stillsecure.com
    > Reducing your risk has never been this easy
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.1 (GNU/Linux)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    >
    > iD8DBQE/ebS7I1eg/VOfA8oRAgkgAJ0SYnU+qN7/VOWBSWEMabYY3LET1ACaAnbr
    > VAOjkGF7vl3cmy9wy0XrU4Y=
    > =ys9M
    > -----END PGP SIGNATURE-----
    >
    >

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------

  • Next message: Ravi Kumar: "Re: Network hardware IPS"

    Relevant Pages

    • RE: Active response... some thoughts.
      ... monitored over the years the only real use of TCP reset that was useful ... Blade Software - Because Real Attacks Hurt ... a TCP RST would provide no value. ... RST is largely a marketing solution, ...
      (Focus-IDS)
    • Re: Network hardware IPS
      ... |Why isn't TCP reset a preferred method of blocking? ... a reliable security mechanism (exactly as claimed in the snort ... Also many attacks are too short for a TCP reset to be effective or the ...
      (Focus-IDS)
    • Re: How to stop OE6 from multithreading on the news server? - another problem
      ... Hi Robert... ... While I chew on your latest reply, do you think "TCP Reset ... Attacks" might have something to do with this? ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Quantcast