Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can the sensor send a tcp reset when it is installed inline?

I would like to find out if the IPS will send a reset to the attacker when a signature is modified to deny-attacker-service-pair-inline.

3 REPLIES
Cisco Employee

Re: Can the sensor send a tcp reset when it is installed inline?

No,

The packets will just be dropped/denied by the sensor without sending resets. The attacker connections will just eventually timeout.

You can add the reset action to the existing deny-attacker-service-pair action for the signature and this will reset the one connection that triggered the signature.

However, it will not reset other connections that are being denied for the attacker-service-pair.

New Member

Re: Can the sensor send a tcp reset when it is installed inline?

Ok so here?s the deal. With the IPS, we are blocking inside workstations from connecting to eDonkey servers using deny-attacker-service-pair. The connections come through a PIX 501.

What appears to happen is that the connection is blocked by the IPS but each time the client tries to connect to a new eMule/eDonkey server; a connection request populates the PIX connection table. The table on the pix becomes full and thus denies further connections from other clients. DOS happens?.

As Marco has pointed out, the IPS can only send a reset for the initial denied request. What can we do on the pix to calm the connection from the host that is syn flooding via the PIX.

Gold

Re: Can the sensor send a tcp reset when it is installed inline?

I'm not sure, but you could just add the "Reset TCP Connection" action to the signature to make sure it does.

144
Views
0
Helpful
3
Replies
CreatePlease to create content