Antw: [Snort-users] ICMP source quench
twhipp at ...63...
Mon Jul 31 07:32:05 EDT 2000
To be honest I tend to see a very large number of these being returned to a
large volume web site we host (its not an attack just lots of users on slow
dial ups). I'm aware that source quences can be an attack, most firewall
config guides seem to suggest dropping them to prevent limited DoS attacks.
They certainly don't seem to be a required packet. The only downside that I
can see to dropping these ICMP's is that the web server will eat slightly
more bandwidth due to retransmitting packets which have been lost
Are there any other effects I should be aware of? Do most people bother
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ralf
Sent: 31 July 2000 11:53
To: snort-users at lists.sourceforge.net; jan at ...206...
Subject: Antw: [Snort-users] ICMP source quench
It's a means for a router or host to tell another host that it's sending too
much packets in a given timeframe, more than it can handle in fact. Source
quench says: "Hey, stop flooding me and send less packets" <g>
In today's environment you should see them rather seldomly...
Snort-users mailing list
Snort-users at lists.sourceforge.net
More information about the Snort-users