[Snort-users] Source quenchyness

a.h.s. boy spud at ...4557...
Mon Jan 14 17:44:02 EST 2002


I have a box co-located at a friend's company, and have Snort/ACID setup 
on it (with HOME_NET restricted to only my machine...I'm not concerned 
with monitoring all their traffic).

I get about 5-6000 ICMP Source Quench alerts a day(!)...all from one of 
their NT servers sitting on the same subnet as mine. I'm not sure what 
role the NT box serves for them, but it certainly is chatty with my box.

All I know about source quench messages is that they're an indication 
that the sending box isn't handling the volume of traffic very well, and 
it's trying to tell my box to slow down. And I know that ICMP Source 
Quench packets are "depricated", since it's not a great idea to generate 
more traffic to indicate that there's too much traffic. That's the 
extent of my knowledge about ICMP Source Quenches.

While I could have Snort ignore these "violations", what I'm really 
wondering is WHY the NT box would be having so much trouble with this 
server...it's NOT a very high-volume server at all (2 web sites, one 
quite negligible). So I have a hard time believing that I'm really 
flooding the NT box...or rather, I can't believe that the amount of 
traffic my machine is generating is unreasonable.

Can someone fill me in on what I might be able to do to resolve this 
issue, either on my server, or the network it's on, or the NT box (I 
don't have many details on the NT box right now, but I can get them).

Cheers,
spud.

-------------------------------------------------------------------
a.h.s. boy
spud at ...4557...               "as yes is to if,love is to yes"
http://www.nothingness.org/
PGP Fingerprint: 7B5B 2E7A FA96 865A D9D9  5D6D 54CD D2C1 3429 56B4
-------------------------------------------------------------------





More information about the Snort-users mailing list