Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6014
Views
3
Helpful
5
Replies

IDS Drop vs. Reset

Go to solution
r-lemaster
Level 1
Level 1

‎02-01-2005 03:14 PM - edited ‎03-10-2019 01:15 AM

I understand that Dropping a packet prevents the connection from getting into your network, and a TCP Reset resets the connection in both directions.

Isn't that functionally pretty much the same thing? Either way, you're ending the connection, right?

Since TCP Reset only works on TCP traffic, why even use it? Doesn't dropping the connection pretty much take care of that?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to nkhawaja

‎02-01-2005 04:09 PM

An issue to consider is that of system resources.

If the IPS drops the connection (or packets), the connection is not able to continue.

BUT both the client and server believe that the connection is still underway and will resend packets, and keep the system resources open until an eventual timeout happens.

With TCP Reset, on the other hand the client and server know the connection has been reset and can free up the system resources and stop doing resends.

TCP Reset by itself, however, does not guarantee the connection will go away.

TCP Reset is a best guess at the sequence numbers to get the connection to be reset. You are in effect hijacking the connection, and hijacking does not always work (especially in fast connections).

If all you are worried about is stopping an attack then dropping the packets works fine.

But if you are worries about dropping the attacks as well as freeing up system resources (especially a web server that may be under constant attack in the case of worms) I would recommend using both the drop action and reset actions.

SIDE NOTE:

The IDS version 4.1 software supports TCP Resets, but does not support drop actions.

The IPS version 5.0 (yet to be released) will support a new InLine feature that does support drop like actions (they are termed deny actions in IPS v5.0). So in 5.0 you may want to do both a deny action and a tcp reset action on signatures that fire often. This way your servers won't waste resources on connections that have already been dropped by the IPS.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nkhawaja
Cisco Employee
Cisco Employee

‎02-01-2005 03:40 PM

for TCP based connections, when you RESET them, then the connection resets. But dropping a packet not necessarily means a connection is torn down. Sender can resend the dropped packets (which eventually will reset the connection if a configured number of drop/resend happens)

thanks

Nadeem

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to nkhawaja

‎02-01-2005 04:09 PM

An issue to consider is that of system resources.

If the IPS drops the connection (or packets), the connection is not able to continue.

BUT both the client and server believe that the connection is still underway and will resend packets, and keep the system resources open until an eventual timeout happens.

With TCP Reset, on the other hand the client and server know the connection has been reset and can free up the system resources and stop doing resends.

TCP Reset by itself, however, does not guarantee the connection will go away.

TCP Reset is a best guess at the sequence numbers to get the connection to be reset. You are in effect hijacking the connection, and hijacking does not always work (especially in fast connections).

If all you are worried about is stopping an attack then dropping the packets works fine.

But if you are worries about dropping the attacks as well as freeing up system resources (especially a web server that may be under constant attack in the case of worms) I would recommend using both the drop action and reset actions.

SIDE NOTE:

The IDS version 4.1 software supports TCP Resets, but does not support drop actions.

The IPS version 5.0 (yet to be released) will support a new InLine feature that does support drop like actions (they are termed deny actions in IPS v5.0). So in 5.0 you may want to do both a deny action and a tcp reset action on signatures that fire often. This way your servers won't waste resources on connections that have already been dropped by the IPS.

0 Helpful

Go to solution
dbobeldyk
Level 1
Level 1
In response to marcabal

‎02-09-2005 12:33 PM

Any Plans for an IPS version of the IDSM-2?

0 Helpful

Go to solution
ishah
Level 1
Level 1
In response to dbobeldyk

‎02-18-2005 03:48 PM

My understanding is this will be supported too

0 Helpful

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to dbobeldyk

‎02-20-2005 01:04 PM

Yes,

The IDSM-2 is being supported for both the older Promiscuous functionality and the new InLine functionality (with the deny actions) in the soon to be released IPS version 5.0.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card