The TCP Reset, the Magical Solution of NDR for Automatic Response?

April 16, 2024
Cybersecurity - Security network

In the cybersecurity domain, threat detection and response are integral components of a cyber defence strategy. NDR (Network Detection & Response) is a threat detection tool based on network flows that provides mechanisms to aid response. However, deciding which technique the ‘R’ of NDR should employ remains a subject not to be taken lightly. One possible method for automated response is the use of the TCP RST (Reset) technique to interrupt suspicious connections. This approach, notably used for TCP connection hijacking, raises questions in terms of cybersecurity.

Let us analyse this topic in more detail together. 

Understanding TCP RST

TCP RST is a mechanism built into the TCP (Transmission Control Protocol) that allows for an abrupt closure of a TCP connection. This feature is designed for situations where a connection needs to be terminated immediately, bypassing the normal closure procedure. In the context of cybersecurity, the idea of sending a forged TCP RST packet to interrupt a suspicious connection may seem appealing. In theory, this could quickly isolate a compromised host or block an ongoing attack.

However, the practical implementation of this technique poses several challenges.

How to Forge a TCP RST Packet?

  • The Challenges of Implementation

To start, when a TCP connection is initiated, the client and server exchange sequence numbers, randomly generated over 32 bits. For a RST packet to be effective, it must be properly forged, which involves knowing the TCP sequence numbers used in the targeted connection.

It is often preferable to interrupt the connection from the outset, before it is fully established. With this in mind, the initial SYN packet is intercepted, and a RST packet is immediately sent, impersonating the server. Thus, the NDR sends a RST packet to the client that includes, in its acknowledgment field, the initial sequence number increased by one, while using the server’s IP address as the source address.

  • Associated Limitations

The main drawback results from the effectiveness of the technique depending on how quickly the RST packet can be sent and received. If a legitimate SYN/ACK packet from the server reaches the client before the forged RST, the effort to interrupt the connection will fail, leaving the door open for the attack.

Moreover, the use of TCP RST is not without risks.

Sending a RST in the middle of a connection requires closing the connection on both sides to avoid exploitable vulnerabilities. Indeed, if the RST is sent only on the client side, this can create an opportunity for the attacker to utilise the still open connection on the server side. Some solutions only close the connection on one side, making their automated response system easily exploitable by malicious cyber actors.

Another major risk is the possibility for savvy attackers to bypass the TCP RST technique by ignoring the RST packet. Along with this, this method is inapplicable to UDP flows.

Furthermore, by becoming active on the network to send RST packets, the NDR exposes itself to denial-of-service (DoS) attacks, increasing its vulnerability.

Towards Safer and More Effective Methods

Thus, given the limitations and risks of the TCP RST technique, it is essential to favour safer and proven approaches for automated response to threats with tools designed for this purpose. The use of firewall rules to isolate a suspicious host or integration with EDR (Endpoint Detection and Response) solutions offer more robust alternatives. These methods enable a more controlled response and are less likely to be circumvented by attackers.

In Conclusion

Many perceive the TCP RST technique as a magical solution of NDR for automatic response. Yet, the numerous limitations and risks it introduces make its use hardly recommendable in cybersecurity. It should not be considered a plausible solution for automated response. In this field, it is crucial to rely on proven and reliable methods, with a holistic approach, to ensure effective protection of networks and information systems against emerging threats.

Curious to discover our NDR solution? Book your demo slot, it’s 100% free! 👉HERE.