RE: [ISSForum] Re: Could RSKILL cause problems on a switch ?

[issforum-admin]

One thing to remember with respect to RSKILLs, you MUST be careful when dealing with email signatures. The RSKILL does a great job resetting the connection for emails thus causing the email server to que these failed attempts. The server will try to resend these emails over and over and eventually crash. Been there..   Steve   -----Original Message----- From: Paul Van Gurp [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 9:54 AM To: [EMAIL PROTECTED] Cc: Mohamed HAMOUCH Subject: RE: [ISSForum] Re: Could RSKILL cause problems on a switch ? I'm sure there are more qualified people that could help, but an RSKILL is simply a TCP Reset that is sent to both systems...the system which is being targeted and the system which sent the offending packet.  All this does is break the TCP connection so that a connection cannot be established and it hopes to prevent any further damage.  The RS sensor should do this every time an offending packet is sent, and one of your signatures catches the event.  I am unsure whether it would affect your other inline equipment but it doesn't seem likely.   I hope that helps.   Paul -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 12:37 PM To: [EMAIL PROTECTED] Cc: Mohamed HAMOUCH Subject: [ISSForum] Re: Could RSKILL cause problems on a switch ? Forgot to say that we're using a Nokia IP 330 appliance as a network sensor  version 6.5 .   ./Mohamed.   Mohamed HAMOUCH mohamed.hamouch (at) cgey.com ----- Original Message ----- From: Mohamed HAMOUCH To: [EMAIL PROTECTED] Cc: Mohamed HAMOUCH Sent: Wednesday, July 02, 2003 4:27 PM Subject: Could RSKILL cause problems on a switch ? Hi all,   I'd like to know if enabling RSKILL could cause some trouble to active network equipements mainly switches (cisco) ?    How does RSKILL work ? Does it block only the tcp connection which trigger the signature or all the traffic to the attacked host ?   We encounter a strange problem on our platform and we think that it's caused by the RSKILL that we just activate for testing matter.   As as we enabled the RSKILL and test it by establishing the connection that trigger  the signature, the switch ( that is connected to the machine to which we send the attack) does not respond  and all the machines behind this switch are not reacheable (they seem to be down because the switch is no longer alive in term of network ).   We want to know if RSKILL could be behind  this problem or it's just a concidence.  It's really strange if it can cause all this kind of trouble.   Network sensor ------- cisco hub_1 -------cisco switch_1 ---- cisco router ------ cisco switch_2 ---- machine NB:  machine: the machine againt which RSKILL is tested         cisco switch_2 : is the switch which deos not respond (off in term of network)     Any help could be so appreciated.   Best Regards,   ./Mohamed.