Antw: [Snort-users] ICMP source quench

Tom Whipp twhipp at ...63...
Mon Jul 31 07:32:05 EDT 2000


To be honest I tend to see a very large number of these being returned to a
large volume web site we host (its not an attack just lots of users on slow
dial ups).  I'm aware that source quences can be an attack, most firewall
config guides seem to suggest dropping them to prevent limited DoS attacks.

They certainly don't seem to be a required packet.  The only downside that I
can see to dropping these ICMP's is that the web server will eat slightly
more bandwidth due to retransmitting packets which have been lost
downstream.

Are there any other effects I should be aware of?  Do most people bother
dropping these?

cheers

	Tom

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ralf
Günthner
Sent: 31 July 2000 11:53
To: snort-users at lists.sourceforge.net; jan at ...206...
Subject: Antw: [Snort-users] ICMP source quench


Hi Jan

It's a means for a router or host to tell another host that it's sending too
much packets in a given timeframe, more than it can handle in fact. Source
quench says: "Hey, stop flooding me and send less packets" <g>

In today's environment you should see them rather seldomly...

Cheers
Ralf


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users





More information about the Snort-users mailing list