[Snort-users] ICMP Source Quench

Hicks, John JHicks at ...5857...
Wed Sep 4 07:44:03 EDT 2002

FYI ... this is also noted specifically in the book "Intrusion Signatures
and Analysis".

-----Original Message-----
From: Chris Keladis [mailto:Chris.Keladis at ...6400...]
Sent: Wednesday, August 28, 2002 9:15 AM
To: 'snort-users-request at lists.sourceforge.net'
Cc: Ofir Arkin; 'McCammon, Keith'; 'Wirth, Jeff'; 'Sergei Balyakin'
Subject: Re: [Snort-users] ICMP Source Quench

Ofir Arkin wrote:

> With the next example an HP Open View system, based on HPUX B.11.0
operating system is probing the 
> 172.18.2.x network in order to discover the network topology. Since this
operation was done without 
> any rate limiting of the sending of packets, at a certain point the HPUX
machine has reached the point 
> it is no longer able to process some incoming packets. Here is one of the
ICMP Source Quench error 
> messages it sent:

Just to add some additional information w.r.t HP/UX.

HP/UX prior to 11.x has a bug (it's documented in itrc somewhere) where 
due to some design issue (i forgot the details off the top of my head) 
caused it to generate quite a number of ICMP Source Quench's.

I remember Snort going nuts reporting Source Quench's, before i got our 
guys to install the patches, and i've hardly seen one since.

There are patches for all supported versions of HP/UX, and i beleive 
this is fixed in HP/UX 11.x (i vaguely remember it had something do with 
the streams driver).

Email me privately and i can dig up specifics if required..



This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list