cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6337
Views
3
Helpful
5
Replies

IDS Drop vs. Reset

r-lemaster
Level 1
Level 1

I understand that Dropping a packet prevents the connection from getting into your network, and a TCP Reset resets the connection in both directions.

Isn't that functionally pretty much the same thing? Either way, you're ending the connection, right?

Since TCP Reset only works on TCP traffic, why even use it? Doesn't dropping the connection pretty much take care of that?

1 Accepted Solution

Accepted Solutions

An issue to consider is that of system resources.

If the IPS drops the connection (or packets), the connection is not able to continue.

BUT both the client and server believe that the connection is still underway and will resend packets, and keep the system resources open until an eventual timeout happens.

With TCP Reset, on the other hand the client and server know the connection has been reset and can free up the system resources and stop doing resends.

TCP Reset by itself, however, does not guarantee the connection will go away.

TCP Reset is a best guess at the sequence numbers to get the connection to be reset. You are in effect hijacking the connection, and hijacking does not always work (especially in fast connections).

If all you are worried about is stopping an attack then dropping the packets works fine.

But if you are worries about dropping the attacks as well as freeing up system resources (especially a web server that may be under constant attack in the case of worms) I would recommend using both the drop action and reset actions.

SIDE NOTE:

The IDS version 4.1 software supports TCP Resets, but does not support drop actions.

The IPS version 5.0 (yet to be released) will support a new InLine feature that does support drop like actions (they are termed deny actions in IPS v5.0). So in 5.0 you may want to do both a deny action and a tcp reset action on signatures that fire often. This way your servers won't waste resources on connections that have already been dropped by the IPS.

View solution in original post

5 Replies 5

nkhawaja
Cisco Employee
Cisco Employee

for TCP based connections, when you RESET them, then the connection resets. But dropping a packet not necessarily means a connection is torn down. Sender can resend the dropped packets (which eventually will reset the connection if a configured number of drop/resend happens)

thanks

Nadeem

An issue to consider is that of system resources.

If the IPS drops the connection (or packets), the connection is not able to continue.

BUT both the client and server believe that the connection is still underway and will resend packets, and keep the system resources open until an eventual timeout happens.

With TCP Reset, on the other hand the client and server know the connection has been reset and can free up the system resources and stop doing resends.

TCP Reset by itself, however, does not guarantee the connection will go away.

TCP Reset is a best guess at the sequence numbers to get the connection to be reset. You are in effect hijacking the connection, and hijacking does not always work (especially in fast connections).

If all you are worried about is stopping an attack then dropping the packets works fine.

But if you are worries about dropping the attacks as well as freeing up system resources (especially a web server that may be under constant attack in the case of worms) I would recommend using both the drop action and reset actions.

SIDE NOTE:

The IDS version 4.1 software supports TCP Resets, but does not support drop actions.

The IPS version 5.0 (yet to be released) will support a new InLine feature that does support drop like actions (they are termed deny actions in IPS v5.0). So in 5.0 you may want to do both a deny action and a tcp reset action on signatures that fire often. This way your servers won't waste resources on connections that have already been dropped by the IPS.

Any Plans for an IPS version of the IDSM-2?

My understanding is this will be supported too

Yes,

The IDSM-2 is being supported for both the older Promiscuous functionality and the new InLine functionality (with the deny actions) in the soon to be released IPS version 5.0.

Review Cisco Networking for a $25 gift card