IDS mailing list archives
Re: Network hardware IPS
From: Alvin Wong <alvin.wong () b2b com my>
Date: 02 Oct 2003 11:25:26 +0800
Thanks for the information, Cory, that was really insightful. Regards, Alvin On Wed, 2003-10-01 at 00:52, Cory Stoker wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alvin Wong wrote: <snip> | |Also, my question to any is the following |"One note of caution on TCP Reset is not a preferred method of blocking |attacks according to some security experts. " Alan Shimel | |Why isn't TCP reset a preferred method of blocking? | |Regards, |Alvin | <snip> Hi: The main reason that TCP resets are not a preferred method of blocking is it is not Guaranteed to be successful. I quote below: " In our tests, snort (v 1.8.4 and beta v. 1.9.1) does not always kill the HTTP connection using the RST and/or ICMPs. In most of the cases connection is reset and sometimes it remains running and the file (dummy " cmd.exe" placed on Apache web server) is successfully downloaded. The possible explanation is that RST arrives too late for the connection to be reset since the response from server comes earlier with the right sequence number. The delayed RST is then discarded. Thus RST/ICMP is not a reliable security mechanism (exactly as claimed in the snort documentation)." -- Anton Chuvakin, Ph.D. Also many attacks are too short for a TCP reset to be effective or the attacker could change his IP stack to disregard the TCP reset. Thanks, - -- Cory Stoker Security Engineer Latis Networks, Inc. www.stillsecure.com Reducing your risk has never been this easy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/ebS7I1eg/VOfA8oRAgkgAJ0SYnU+qN7/VOWBSWEMabYY3LET1ACaAnbr VAOjkGF7vl3cmy9wy0XrU4Y= =ys9M -----END PGP SIGNATURE-----
--------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- RE: Network hardware IPS Davis, Scott L (Oct 02)
- Re: Network hardware IPS Stefano Zanero (Oct 06)
- <Possible follow-ups>
- Re: Network hardware IPS Darren Bolding (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)