[Snort-users] New ICMP attack?

Avleen Vig avleen at ...396...
Mon Jan 8 07:48:33 EST 2001


From: "Mitch Thompson" <mitchthompson at ...539...>
> Hello,
>
> Was hoping someone could give me some more information about the
> following:
>
> [**] PING-ICMP Source Quench [**]
> 10/03-09:21:30.000070 xxx.xxx.xxx.xx -> xxx.xxx.xxx.xxx
> ICMP TTL:232 TOS:0x0 ID:53130 IpLen:20 DgmLen:56 DF
> SOURCE QUENCH
>
>
> Just saw a bunch of these roll off the screen...Can't find any reference
> to SOURCE QUENCH on WhiteHats.com, but probably didn't look hard enough.

A source quench is sent to a box, to tell it to slow down the rate at which
it is sending data. This can be for a number of reasons. It can be (as you
suspect) part of a small DoS, where everything would retrun to normal as
soon as it stopped. Alternatively it could be perfectly legitimate.
If you ever try shoving lots and lots of data (a few mb rom many different
hosts) through a tiny 64kb leased line, the router will often send back (or
at least, it SHOULD often send back) ICMP Source Quench replies.

Maybe the src is getting a lot of network congenstion?





More information about the Snort-users mailing list