'rst' attack

Discussion in 'other firewalls' started by leopold bloom, Jul 31, 2003.

Thread Status:
Not open for further replies.
  1. could somebody tell me what is 'rst' attacko_O, and who sends it. :mad:
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi leopold bloom

    Is this something you feel you are or have experienced? If so, a sample from your logs would help in determining what you are seeing (just xx.xx.xx.xx your IP).

    If it is just a general question, I have seen reference to RST attacks. I believe this vulnerability (denial of service) is OS specific. As RST packets are part of old connections "resetting" on the target system, the attacker would require all specifics of the connection (source IP, source port, destination IP, destination port). Not something most users are likely to see.

    Regards,

    CrazyM
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Also, you might encounter a heavy stream of Rsts if someone else is spoofing your IP in a DOS attack on an another host which in this situation would be the source of the Rsts you would see. This would not be an attack on you (at least that is not the intent) but this would be the consequence of the attacked host sending circuit teardown packets to what it thinks is the sending host. This doesn't happen often and it usually will not last long as the attacked domain would usually implement filters out their border routers pretty quickly.

    Regards,

    Dan
     
  4. I haves usually one or two of this attacks every day. I use agnitum firewall, and I see the attacks with the help of this firewall. could be this attacks against my bios? or to reset my os?
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi leopold bloom

    Do you have some log entries of these you could post that may help determine what you are getting/seeing? (just xx.xx.xx.xx out your public IP)

    Regards,

    CrazyM
     
  6. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    These are not 'attacks'... Understand that most firewalls geared towards normal users, they will make things sounds more important than they are since the majority doesn't know crap about networking, and want to feel protected. These programs give a false sense of security by marking even the most inane probe as malicous.

    If your firewall blocks it, don't worry about it. This likely is just a packet being sent during heavy traffic, or just a probe to try to check if your computer would respond. Packets like these have been used to attempt to get a response from 'stealth' firewalls, but the makers adapt.

    If a program calls someting an attack, never assume it is, know that these program will call things 'dos attacks', 'attack', and 'malicious' for no reason other than to make things sound much more important in most cases.
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi BlitzenZeus,

    While I agree with many of the things you say in your immediately previous post I think some of them may be subject to misinterpretation by some of the people with little experience or knowledge in network traffic analysis.

    This, in particular, IMHO is a dangerous position to advocate. There are many instances where activity might be partially blocked by the firewall but which point to security failings on the computer (that are not or cannot be addressed by the firewall). As an example, if someone gets repeated entries of SYN/ACK on local NetBIOS ports from many hosts this is an indication that the local host is infected with some NetBIOS-spread virus and that at least one outbound NetBIOS port is not being blocked as it should be.

    I have to admit :D I am annoyed when some security programs call any single packet that might *conceivably* be a part of a reconaissance attempt such as OS fingerprinting as an attack. Still, it is usually the case that the great majority of entries like this are attempts by others (whether automatic or directed) to obtain info/access from the target system without the owner's consent and to that extent it is incumbent on the owner to get an appropriate sense for the respective gravity of each type of "event". As an example, if there are varied events from the same host over time this would be an indicator of a focused attack.

    I am quite sure you are aware of these possibilities, I am only laying them out to try to keep some of the lesser knowledgeable readers from being persuaded to adopt an overly "hands-off" approach in analyzing their firewall logs.

    Regards,

    Dan
     
  8. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Outpost, like many other firewalls with some kind of IDS will block all the various knocks on the door so to speak. When the IDS blocks something and logs it, it has to call it something, so it names it with the closest associated behaviour it can find.
    Outpost sees a certain kind of scan or packet as part of an RST attack and logs it that way. Probably because it picked up a reset packet. As previously mentioned, nothing of concern most of the time.
    I think it is very unusual for the average user to come under any attack, and if for some strange reason, someone did, I think they would see a great many packets being blocked and they would be very close together, timewise.
    I agree with Dan in that certain information can be gained if one sees traffic patterns that might be associated with a possible breach in a persons setup. Outpost makes it pretty easy to avoid leaving any vulnerable ports open, and a few scans at the various firewall test scan sites such as PC Flank or GRC will yield important information on you ports status.
     
Thread Status:
Not open for further replies.