[Snort-users] New ICMP attack?

Ofir Arkin ofir at ...949...
Tue Jan 9 00:23:56 EST 2001

The reference here about PING is a misleading one!
I was thinking it was fixed ages ago.

You can take a look at the ICMP Rule Base I have made few weeks ago at:

Ofir Arkin
ofir at ...949...
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
Sent: Monday, January 08, 2001 4:47 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] New ICMP attack?

>Was hoping someone could give me some more information about the
>[**] PING-ICMP Source Quench [**]
>10/03-09:21:30.000070 xxx.xxx.xxx.xx -> xxx.xxx.xxx.xxx
>ICMP TTL:232 TOS:0x0 ID:53130 IpLen:20 DgmLen:56 DF

 From RFC 792


A gateway may discard internet datagrams if it does not have the buffer
space needed to queue the datagrams for output to the next network on the
route to the destination network. If a gateway discards a datagram, it may
send a source quench message to the internet source host of the datagram. A
destination host may also send a source quench message if datagrams arrive
too fast to be processed. The source quench message is a request to the
host to cut back the rate at which it is sending traffic to the internet
destination. The gateway may send a source quench message for every message
that it discards. On receipt of a source quench message, the source host
should cut back the rate at which it is sending traffic to the specified
destination until it no longer receives source quench messages from the
gateway. The source host can then gradually increase the rate at which it
sends traffic to the destination until it again receives source quench

The gateway or host may send the source quench message when it approaches
its capacity limit rather than waiting until the capacity is exceeded. This
means that the data datagram which triggered the source quench message may
be delivered.

Code 0 may be received from a gateway or a host.

>Just saw a bunch of these roll off the screen...Can't find any reference
>to SOURCE QUENCH on WhiteHats.com, but probably didn't look hard enough.
>Thanks in advance.
>Mitch Thompson, San Antonio TX

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:

More information about the Snort-users mailing list