[Snort-users] Load of source quench

agetchel at ...1525... agetchel at ...1525...
Thu Apr 5 11:32:30 EDT 2001


Hi JB,
	It's a good idea to block ICMP source quench packets at the
firewall, as they can be used as a somewhat effective DoS attack (depending
on the OS of the machine being attacked and how it handles these
notifications).  Seeing that many of these alerts in such a short amount of
time (all coming from one host going too one host?) would definitely raise a
red flag.  However, we've seen a good amount these being sent from remote
servers to our large proxy array for legitimate reasons (up to about 35 per
minute).  Since the ICMP Source Quench notification is basically a remote
system telling your system 'Slow down!  I can't process the data as fast as
you're sending it!', blocking these might result in packet loss.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...1525...
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: JB Lallement [mailto:jean-baptiste.lallement at ...1699...]
> Sent: Thursday, April 05, 2001 10:59 AM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Load of source quench
> 
> 
> Hi,
> 
> Snort detected a load of Source Quench ( about 300 in 5 min ).
> I know this is a primitive flow control but what does it mean 
> in term of 
> possible attack ?
> Should I block them at Firewall level ?
> What could be the consequences ?
> 
> Thx
> 
> JB
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list