Antw: [Snort-users] ICMP source quench

Tom Whipp twhipp at ...63...
Mon Jul 31 07:32:05 EDT 2000

To be honest I tend to see a very large number of these being returned to a
large volume web site we host (its not an attack just lots of users on slow
dial ups).  I'm aware that source quences can be an attack, most firewall
config guides seem to suggest dropping them to prevent limited DoS attacks.

They certainly don't seem to be a required packet.  The only downside that I
can see to dropping these ICMP's is that the web server will eat slightly
more bandwidth due to retransmitting packets which have been lost

Are there any other effects I should be aware of?  Do most people bother
dropping these?



-----Original Message-----
From: snort-users-admin at
[mailto:snort-users-admin at]On Behalf Of Ralf
Sent: 31 July 2000 11:53
To: snort-users at; jan at ...206...
Subject: Antw: [Snort-users] ICMP source quench

Hi Jan

It's a means for a router or host to tell another host that it's sending too
much packets in a given timeframe, more than it can handle in fact. Source
quench says: "Hey, stop flooding me and send less packets" <g>

In today's environment you should see them rather seldomly...


Snort-users mailing list
Snort-users at

More information about the Snort-users mailing list