Solved: TCP Resets

JEFF SPRADLING · ‎02-04-2013

Hello all,

I'd like to get your input on TCP Resets sent from the IPS running inline. If the sensor is setup to deny attacker, deny connection, or even deny packet, is there any reason to send a TCP Reset? It seems to me that sending a reset just confirms a valid IP Address to the attacker.

I can see the reason for the reset if the IPS is running in promiscuous mode, as you'd want the inside host to severe the connection, but I don't see the benefit of sending it when the IPS is already denying the connection in one form or another.

Thoughts?

Thanks,

Jeff S.

ananmath · ‎02-20-2013

The document says,

Snippet from http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliEvAct.html

The deny packet inline action is represented as a dropped packet action in the alert. When a deny packet inline occurs for a TCP connection, it is automatically upgraded to a deny connection inline action and seen as a denied flow in the alert. If the IPS denies just one packet, the TCP continues to try to send that same packet again and again, so the IPS denies the entire connection to ensure it never succeeds with the resends.

When a deny connection inline occurs, the IPS also automatically sends a TCP one-way reset, which shows up as a TCP one-way reset sent in the alert. When the IPS denies the connection, it leaves an open connection on both the client (generally the attacker) and the server (generally the victim). Too many open connections can result in resource problems on the victim. So the IPS sends a TCP reset to the victim to close the connection on the victim side (usually the server), which conserves the resources of the victim. It also prevents a failover that would otherwise allow the connection to fail over to a different network path and reach the victim. The IPS leaves the attacker side open and denies all traffic from it.

Deny Connection Inline and Deny Attacker Victim Pair Inline seems to have the same effect at the end, except that "Deny Attacker Victim Pair Inline" has an entry in the "Deny attackes".

I hope this answers your query

View solution in original post

pchaturv · ‎02-04-2013

TCP resets are sent to both: the client(possibly outside the network) and the server(internal). This not just helps cleaning up the state on the internal server(which we care about) but also avoids further packets from the client on the same flow.

ananmath · ‎02-20-2013

The document says,

Snippet from http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliEvAct.html

The deny packet inline action is represented as a dropped packet action in the alert. When a deny packet inline occurs for a TCP connection, it is automatically upgraded to a deny connection inline action and seen as a denied flow in the alert. If the IPS denies just one packet, the TCP continues to try to send that same packet again and again, so the IPS denies the entire connection to ensure it never succeeds with the resends.

When a deny connection inline occurs, the IPS also automatically sends a TCP one-way reset, which shows up as a TCP one-way reset sent in the alert. When the IPS denies the connection, it leaves an open connection on both the client (generally the attacker) and the server (generally the victim). Too many open connections can result in resource problems on the victim. So the IPS sends a TCP reset to the victim to close the connection on the victim side (usually the server), which conserves the resources of the victim. It also prevents a failover that would otherwise allow the connection to fail over to a different network path and reach the victim. The IPS leaves the attacker side open and denies all traffic from it.

Deny Connection Inline and Deny Attacker Victim Pair Inline seems to have the same effect at the end, except that "Deny Attacker Victim Pair Inline" has an entry in the "Deny attackes".

I hope this answers your query

JEFF SPRADLING · ‎02-20-2013

Thanks, Anant. That makes more sense than sending resets in both directions.