Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
283
Views
0
Helpful
1
Replies

CSA & LSASS exploits

acciai_gf
Level 1
Level 1

‎10-15-2004 07:11 AM - edited ‎03-09-2019 09:07 AM

We're using CSA in HA server situations to avoid reboots on the endless stream of MS patches.. Issue we have on worm "buffer overruns" attacks on key Windows components (LSASS, RPC, etc) is that CSA stop the attacks (HA servers not infected - a good thing), but LSASS is "killed" (due to the real buffer overrun) and then Windows itself "reboots" the box in 60 secs once LSASS is "gone". Effectively resulting in a DOS attack as the HA server keeps getting rebooted.. Any thoughts on CSA futures to avoid this??

Labels:
0 Helpful
1 Reply 1

jimwelsh
Level 1
Level 1

‎10-15-2004 08:46 AM

Could you use IDS with TCP Reset to detect and reset the connections implementing the attacks? I haven't researched for you, but perhaps Signatures already exist in Cisco's definitions to detect known LSASS and RCP buffer overflow expolits, or custom Sigs could be constructed from information from other sources (Snort signatures, CVS, etc.)

Just a thought.

0 Helpful
Customers Also Viewed These Support Documents