topic IDS Drop vs. Reset in Network Security

IDS Drop vs. Reset

r-lemaster — Sun, 10 Mar 2019 09:15:42 GMT

I understand that Dropping a packet prevents the connection from getting into your network, and a TCP Reset resets the connection in both directions.

Isn't that functionally pretty much the same thing? Either way, you're ending the connection, right?

Since TCP Reset only works on TCP traffic, why even use it? Doesn't dropping the connection pretty much take care of that?

Re: IDS Drop vs. Reset

nkhawaja — Tue, 01 Feb 2005 23:40:18 GMT

for TCP based connections, when you RESET them, then the connection resets. But dropping a packet not necessarily means a connection is torn down. Sender can resend the dropped packets (which eventually will reset the connection if a configured number of drop/resend happens)

thanks

Nadeem

Re: IDS Drop vs. Reset

marcabal — Wed, 02 Feb 2005 00:09:36 GMT

An issue to consider is that of system resources.

If the IPS drops the connection (or packets), the connection is not able to continue.

BUT both the client and server believe that the connection is still underway and will resend packets, and keep the system resources open until an eventual timeout happens.

With TCP Reset, on the other hand the client and server know the connection has been reset and can free up the system resources and stop doing resends.

TCP Reset by itself, however, does not guarantee the connection will go away.

TCP Reset is a best guess at the sequence numbers to get the connection to be reset. You are in effect hijacking the connection, and hijacking does not always work (especially in fast connections).

If all you are worried about is stopping an attack then dropping the packets works fine.

But if you are worries about dropping the attacks as well as freeing up system resources (especially a web server that may be under constant attack in the case of worms) I would recommend using both the drop action and reset actions.

SIDE NOTE:

The IDS version 4.1 software supports TCP Resets, but does not support drop actions.

The IPS version 5.0 (yet to be released) will support a new InLine feature that does support drop like actions (they are termed deny actions in IPS v5.0). So in 5.0 you may want to do both a deny action and a tcp reset action on signatures that fire often. This way your servers won't waste resources on connections that have already been dropped by the IPS.

Re: IDS Drop vs. Reset

dbobeldyk — Wed, 09 Feb 2005 20:33:44 GMT

Any Plans for an IPS version of the IDSM-2?

Re: IDS Drop vs. Reset

ishah — Fri, 18 Feb 2005 23:48:18 GMT

My understanding is this will be supported too

Re: IDS Drop vs. Reset

marcabal — Sun, 20 Feb 2005 21:04:59 GMT

Yes,

The IDSM-2 is being supported for both the older Promiscuous functionality and the new InLine functionality (with the deny actions) in the soon to be released IPS version 5.0.