[Snort-users] Source quenchyness

Chris Grout cgrout at ...3649...
Mon Jan 14 18:03:02 EST 2002

Is it a game server? I.e. Quake, UT, Tribes, RTCW...  If so, this may be
your problem.  When the (usually UDP) traffic from the server telling
all the players who's doing what and where, any dialup or other slow
connection users' system probably gets cranky and begins begging the
server to slow down.

I also see this same behavior on our Tribes and RTCW servers.  Usually
coming from the same few slow ISDN users.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of a.h.s. boy
Sent: Monday, January 14, 2002 5:43 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Source quenchyness

I have a box co-located at a friend's company, and have Snort/ACID setup
on it (with HOME_NET restricted to only my machine...I'm not concerned
with monitoring all their traffic).

I get about 5-6000 ICMP Source Quench alerts a day(!)...all from one of
their NT servers sitting on the same subnet as mine. I'm not sure what
role the NT box serves for them, but it certainly is chatty with my box.

All I know about source quench messages is that they're an indication
that the sending box isn't handling the volume of traffic very well, and
it's trying to tell my box to slow down. And I know that ICMP Source
Quench packets are "depricated", since it's not a great idea to generate
more traffic to indicate that there's too much traffic. That's the
extent of my knowledge about ICMP Source Quenches.

While I could have Snort ignore these "violations", what I'm really
wondering is WHY the NT box would be having so much trouble with this
server...it's NOT a very high-volume server at all (2 web sites, one
quite negligible). So I have a hard time believing that I'm really
flooding the NT box...or rather, I can't believe that the amount of
traffic my machine is generating is unreasonable.

Can someone fill me in on what I might be able to do to resolve this
issue, either on my server, or the network it's on, or the NT box (I
don't have many details on the NT box right now, but I can get them).


a.h.s. boy
spud at ...4557...               "as yes is to if,love is to yes"
PGP Fingerprint: 7B5B 2E7A FA96 865A D9D9  5D6D 54CD D2C1 3429 56B4

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list