[Snort-users] source quench icmp and advice

Matt Kettler mkettler at ...4108...
Thu Jul 24 19:33:04 EDT 2003

At 09:28 AM 7/25/2003 +0800, cc wrote:
>I've been getting quite a few of these icmp packets
>from a particular host, and I'm a little perturbed
>about this.
>I've read about what a source quench packet does
>so I'm worried whether or not my routing system
>is screwed up or if the packet source IP is
>DoS'ing me.

They certainly aren't going to DoS you that way.  If they are only coming 
from one IP address, all they will do is quench any communications that you 
are sending to THEM and not anywhere else. Hardly a DoS unless the source 
IP is someplace important (ie: someone flooding you with spoofed source 
quenches from www.google.com).

My guess is that the source of the messages you are getting is actualy a 
victim network being flooded to death by a DDoS attack of some sort. Your 
IP address may be one of the many spoofed addresses the attackers are 
using. The target network then generates some source quench packets to try 
to stop the flood, however the flood is probably coming from elsewhere.

>Also, I'd like to get some advice.  On what
>system should snort be used?   I'm currently
>testing it on my company's firewall.  Is that
>the right place?  I figured that since that's
>the access point from the Net to the LAN,
>it would be a right place to check what
>items of interest are hitting my firewall.

Really there is no universal "best place".. it all depends on what YOU need.

In general the common spots are:

1) In front of your firewall. Sees everything going in/out, but is noisy. 
Also if you are NATed it can be tricky to figure out which local machine is 

2) Behind your firewall. Quieter, and only sees what makes it past the 
firewall. Doesn't observe attacks on the firewall, and doesn't observe 
unsuccessful recon probes that the firewall kills. Usually at this point 
any NATing has already occurred, so figuring out the local host is easier.

3) In your DMZ. Great for a custom-tweaked ruleset that aggressively 
monitors your DMZ. Since not all of the traffic in the network will reach 
here, traffic loading is lighter, allowing for more detailed rulesets.

4) On a mirror port of your LAN switch. Great for watching for "inside" 
attacks (disgruntled employees, etc). High traffic volume and speed may 
limit the complexity of the ruleset you can use.

Note: depending on how your network is set up, there may not be the 
possibility of #2, other than by implementing both 3 and 4 (ie: if your 
firewall is a router that separates out your DMZ, there may be no single 
"behind the firewall" point)

More information about the Snort-users mailing list