[Snort-users] ICMP Source Quench

Ofir Arkin ofir at ...949...
Wed Aug 28 05:18:04 EDT 2002


Source Quench (ICMP Type 4)

A. Router Behavior
A.1 ICMP Source Quench error message issued by a Router
If a router sends this message, it means that the router does not have
the buffer space needed to queue the datagrams for output to the next
network on the route to the destination network. It simply means that
the router is congested. 

RFC 1812 specify that a router should not generate Source Quench error
messages, but a router that does originate Source Quench error messages
must be able to limit the rate at which they are generated. The RFC
states the reasons for limiting the rate when generating ICMP error
messages:

- The consumption of network bandwidth on the reverse path
- The burden on the Router's CPU and memory


A.2 A router receiving an ICMP Source Quench error message
When a router receives an ICMP Source Quench error message (which is
directly aimed at the router) it may ignore the Source Quench error
message. If the router decides not to ignore the ICMP Source Quench
error message it needs to cut back the rate, which it is sending traffic
to the destination system which sent this ICMP error message to the
Router.


B. Host Behavior
B.1 A Host sending an ICMP Source Quench error message
A destination host may send a Source Quench error message (it may be
implemented) if it is approaching, or already reached, the point at
which it is no longer able to process some of the incoming packets
because it does not have the buffer space (or resources) to process
them.

The ICMP header code would be always zero.


B.2 A Host receiving an ICMP Source Quench error message
When a sending host receives an ICMP source quench error message from
the destination Host it should throttle itself back for a period of
time, and then gradually increase the transmission rate again.  

Source Quench error messages must be reported by the IP layer to the
transport layer. The host should throttle itself back for a period of
time, than gradually increase the transmission rate again. The TCP
transport protocol must react to a source quench error messages by
slowing the transmission rate on the connection. RFC 1122 recommends TCP
to throttle back to its "slow start" transmission algorithm.


With the next example an HP Open View system, based on HPUX B.11.0
operating system is probing the 172.18.2.x network in order to discover
the network topology. Since this operation was done without any rate
limiting of the sending of packets, at a certain point the HPUX machine
has reached the point it is no longer able to process some incoming
packets. Here is one of the ICMP Source Quench error messages it sent:


10:48:43.197728 eth0 < 172.18.2.5 > 172.18.2.201: icmp: source quench 
Offending pkt: 172.18.2.201 > 172.18.2.5: icmp: echo reply (DF) (ttl
255, id 0) (DF) (ttl 255, id 43363)
                         4500 0070 a963 4000 ff01 7536 ac12 0205
                         ac12 02c9 0400 fbff 0000 0000 4500 0054
                         0000 4000 ff01 1eb6 ac12 02c9 ac12 0205
                         0000 67dc 0761 081f 3b0b 4f4b 0006 fe46
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000


Hope this helps

Ofir Arkin [ofir at ...949...]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA  


For more information: http://www.sys-security.com
Copyright (c) Ofir Arkin & The Sys-Security Group 1999-2002, all rights
reserved

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: source_quench.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020828/04040b5c/attachment.txt>


More information about the Snort-users mailing list