Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Benifits of TCP resets

Does anyone have any documentation on the benifits of TCP Resets?

thanks,

Geoff

2 REPLIES
New Member

Re: Benifits of TCP resets

TCP resets attempt to tear down the TCP connection by sending a fabricated reset that appears to be from the receiving device to the attacking device. One reason for using this method would be for SAFE Nimda

attack mitigation.

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/snam_wp.htm

New Member

Re: Benifits of TCP resets

Geoff,

Lisa's answer below is 100% technically correct. I however, will caution you in the method and frequency of implementing TCP RSTs. A couple of scenarios can arise from being overzealous with the response.

First off there's the world of false positives. Although the CiscoSecure engine is one of the better engines on the market it is not accurate 100% of the time. What you don't want to do is send RSTs to a valid connection that is being reported as a false positive.

You also need to be careful using RSTs for attacks like NIMDA or or aggressive dataflows. The scenario may also arise where between packet inspection and crafting RSTs the processing burden on your sensor could degrade and even become back logged. I've seen a sensor in this scenario backlogged by 8 hours of heavy NIMDA traffic.

Hope this helps.

CC

137
Views
0
Helpful
2
Replies
CreatePlease login to create content