Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 661
  • Last Modified:

reset -o

we have server publish over internet , some customert said the web is very slow , i reviewd the connecation logs , i found alot of tcp reset -o , if any one help me to solve this problem ???
0
ehab32
Asked:
ehab32
  • 3
1 Solution
 
btanExec ConsultantCommented:
A TCP reset basically kills a TCP connection instantly. When used as designed this can be a useful tool.

 It 's possible for a 3 rd computer to monitor the TCP packets on the connection , and then send a "forged" packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint , not the forger.

One obvious application of forged TCP reset is to maliciously disrupt TCP connections without the consent of the two parties which own the endpoints. Applications and protocols that require lengthy sustained connections are most vulnerable.

It is not possible to fully protect against a brute force TCP reset attack , but there are many things that can be done to harden TCP stacks .

see http://kerneltrap.org/node/3072
0
 
ehab32Author Commented:
please advise good tools to monitor and step by step
0
 
btanExec ConsultantCommented:
Actually as an overall, the TCP reset is just part of the task to potentially escalate to TCP based type of Denial of Service (DoS) attacks (with large number of out-of-window RST packets). And at time, it can be also seen as session hijacking which taking over an established session to either gain access to the system, crash the system by inserting a buffer overflow attack, or simply terminating open sessions using RST packets.

So to handle this using one tool may not be straight forward, I treat this as protocol anomaly with symptom such as excessive packets attempting to tear down connections within firewalls that do not correctly maintain TCP window sizes and typically it also spoofs the source IP. Such early warning signs would be anomaly signature for IDS or IPS mechanism to detect that.

For appliance aspects, it would have been patched, so better to check on the network security device deployed in detecting such attack.
Nonetheless, you can check out last two pages in this good article summarising the defends against this attack too.

@ http://www.linux-magazine.com/w3/issue/58/TCP_Hijacking.pdf

There is another from Microsoft as well, I believe the TCP stack would have been upgraded
@ http://msdn.microsoft.com/en-us/library/ff625905%28v=vs.85%29.aspx

To date it should be available and built into IDS rulesets minimally. maybe if you are interested, Web Application firewall can help in long run deployment
@ http://tacticalwebappsec.blogspot.com/2010/03/inline-vs-out-of-line-waf-deployments.html 

Actually, I see that to avoid spoofing encrypted channel may be another means but it tends to have operational impact
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now