Re: Can the sensor send a tcp reset when it is installed inline?

darin.marais · ‎10-04-2006

I would like to find out if the IPS will send a reset to the attacker when a signature is modified to deny-attacker-service-pair-inline.

marcabal · ‎10-04-2006

No,

The packets will just be dropped/denied by the sensor without sending resets. The attacker connections will just eventually timeout.

You can add the reset action to the existing deny-attacker-service-pair action for the signature and this will reset the one connection that triggered the signature.

However, it will not reset other connections that are being denied for the attacker-service-pair.

darin.marais · ‎10-05-2006

Ok so here?s the deal. With the IPS, we are blocking inside workstations from connecting to eDonkey servers using deny-attacker-service-pair. The connections come through a PIX 501.

What appears to happen is that the connection is blocked by the IPS but each time the client tries to connect to a new eMule/eDonkey server; a connection request populates the PIX connection table. The table on the pix becomes full and thus denies further connections from other clients. DOS happens?.

As Marco has pointed out, the IPS can only send a reset for the initial denied request. What can we do on the pix to calm the connection from the host that is syn flooding via the PIX.

mhellman · ‎10-04-2006

I'm not sure, but you could just add the "Reset TCP Connection" action to the signature to make sure it does.