08-20-2002 07:17 PM - edited 03-09-2019 12:00 AM
Does anyone have any documentation on the benifits of TCP Resets?
thanks,
Geoff
08-28-2002 01:43 PM
TCP resets attempt to tear down the TCP connection by sending a fabricated reset that appears to be from the receiving device to the attacking device. One reason for using this method would be for SAFE Nimda
attack mitigation.
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/snam_wp.htm
09-01-2002 04:02 AM
Geoff,
Lisa's answer below is 100% technically correct. I however, will caution you in the method and frequency of implementing TCP RSTs. A couple of scenarios can arise from being overzealous with the response.
First off there's the world of false positives. Although the CiscoSecure engine is one of the better engines on the market it is not accurate 100% of the time. What you don't want to do is send RSTs to a valid connection that is being reported as a false positive.
You also need to be careful using RSTs for attacks like NIMDA or or aggressive dataflows. The scenario may also arise where between packet inspection and crafting RSTs the processing burden on your sensor could degrade and even become back logged. I've seen a sensor in this scenario backlogged by 8 hours of heavy NIMDA traffic.
Hope this helps.
CC
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: