[Snort-users] source quench icmp and advice
mkettler at ...4108...
Thu Jul 24 19:33:04 EDT 2003
At 09:28 AM 7/25/2003 +0800, cc wrote:
>I've been getting quite a few of these icmp packets
>from a particular host, and I'm a little perturbed
>I've read about what a source quench packet does
>so I'm worried whether or not my routing system
>is screwed up or if the packet source IP is
They certainly aren't going to DoS you that way. If they are only coming
from one IP address, all they will do is quench any communications that you
are sending to THEM and not anywhere else. Hardly a DoS unless the source
IP is someplace important (ie: someone flooding you with spoofed source
quenches from www.google.com).
My guess is that the source of the messages you are getting is actualy a
victim network being flooded to death by a DDoS attack of some sort. Your
IP address may be one of the many spoofed addresses the attackers are
using. The target network then generates some source quench packets to try
to stop the flood, however the flood is probably coming from elsewhere.
>Also, I'd like to get some advice. On what
>system should snort be used? I'm currently
>testing it on my company's firewall. Is that
>the right place? I figured that since that's
>the access point from the Net to the LAN,
>it would be a right place to check what
>items of interest are hitting my firewall.
Really there is no universal "best place".. it all depends on what YOU need.
In general the common spots are:
1) In front of your firewall. Sees everything going in/out, but is noisy.
Also if you are NATed it can be tricky to figure out which local machine is
2) Behind your firewall. Quieter, and only sees what makes it past the
firewall. Doesn't observe attacks on the firewall, and doesn't observe
unsuccessful recon probes that the firewall kills. Usually at this point
any NATing has already occurred, so figuring out the local host is easier.
3) In your DMZ. Great for a custom-tweaked ruleset that aggressively
monitors your DMZ. Since not all of the traffic in the network will reach
here, traffic loading is lighter, allowing for more detailed rulesets.
4) On a mirror port of your LAN switch. Great for watching for "inside"
attacks (disgruntled employees, etc). High traffic volume and speed may
limit the complexity of the ruleset you can use.
Note: depending on how your network is set up, there may not be the
possibility of #2, other than by implementing both 3 and 4 (ie: if your
firewall is a router that separates out your DMZ, there may be no single
"behind the firewall" point)
More information about the Snort-users