[Snort-users] New ICMP attack?

Johan.Augustsson Johan.Augustsson at ...796...
Mon Jan 8 07:47:12 EST 2001

>Was hoping someone could give me some more information about the
>[**] PING-ICMP Source Quench [**]
>10/03-09:21:30.000070 xxx.xxx.xxx.xx -> xxx.xxx.xxx.xxx
>ICMP TTL:232 TOS:0x0 ID:53130 IpLen:20 DgmLen:56 DF

 From RFC 792


A gateway may discard internet datagrams if it does not have the buffer 
space needed to queue the datagrams for output to the next network on the 
route to the destination network. If a gateway discards a datagram, it may 
send a source quench message to the internet source host of the datagram. A 
destination host may also send a source quench message if datagrams arrive 
too fast to be processed. The source quench message is a request to the 
host to cut back the rate at which it is sending traffic to the internet 
destination. The gateway may send a source quench message for every message 
that it discards. On receipt of a source quench message, the source host 
should cut back the rate at which it is sending traffic to the specified 
destination until it no longer receives source quench messages from the 
gateway. The source host can then gradually increase the rate at which it 
sends traffic to the destination until it again receives source quench 

The gateway or host may send the source quench message when it approaches 
its capacity limit rather than waiting until the capacity is exceeded. This 
means that the data datagram which triggered the source quench message may 
be delivered.

Code 0 may be received from a gateway or a host.

>Just saw a bunch of these roll off the screen...Can't find any reference
>to SOURCE QUENCH on WhiteHats.com, but probably didn't look hard enough.
>Thanks in advance.
>Mitch Thompson, San Antonio TX

More information about the Snort-users mailing list