Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How is RESET tcp connection accomplished?

Sensor has ability to reset tcp connection when a signature is fired. This action is accomplished by reconfigure the router or by any methods?

4 REPLIES
New Member

Re: How is RESET tcp connection accomplished?

Hi,

the sensor sends a tcp packet to the ip destination address of the "attacker" with the FIN bit set.

rgds,

GRAZ

New Member

Re: How is RESET tcp connection accomplished?

Actually it should send a reset packet not a fin. The IDS send resets in several different methods. I am not sure which Cisco uses but it should be one or a combination of these

1. IDS spoofs the source of the attack (attacker) and sends a reset to the vicim host. This would tear down the connection on the victim requiring the attacker to re-establish another connection

2., IDS sppofs victim sending a rest to the attacker. Does the same basic thing as 1

3., Both

I personally like method 1 since it is probably quicker and less likely to give the attacker information about the IDS. The big differnce between resets and shunning is that with shunning the attacker should have no access past your screening router, with resets only that particular session is killed meaning the attacker can still establish other connections.

New Member

Re: How is RESET tcp connection accomplished?

Correct!

is the rst bit set... excuse me!

Graz.

New Member

Re: How is RESET tcp connection accomplished?

Yes , rst should be set.

250
Views
0
Helpful
4
Replies