Re: ICMP Source Quench - Can it be some flood attack?

[Mixter <mixter () 2XS CO IL>]

According to the logs, it looks like it's coming from your own router.
Source quench is used to temporarily decrease the amount of data
transferred, when a router can't handle the network load, for example...
you should try to find out if that's the case, if you have line problems,
etc. The problem is that this could also very well be spoofed as coming
from your router, as source quench could naturally be used as DoS, by
someone who spoofs as your router to cut down your bandwidth.

On Fri, 8 Sep 2000, Vinicius Vianna wrote:

> Last night i received some snort alerts that my machine was receiving some ICMP Source Quench, after some research i 
> find out this icmp message is sent when a host cannot process data due to a overload or something else, but as i 
> received this icmp messages in two IPs, the normal ip that is used to send data, and a other IP, used only to people 
> access some web pages can this be some flood attack to slow down or flood a machine?
>
> Thanks in advance
>
> Snort syslog format file:
> 09/06-22:55:21.306503  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:55:21.315022  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.422982  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.429067  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.437629  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.440503  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.477759  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.480583  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.500551  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.526330  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.529171  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.531157  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
> 09/06-22:59:43.534927  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.546433  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.550941  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.559408  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.631409  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.652404  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.670846  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.679427  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.682211  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> 09/06-22:59:43.687902  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
> (time in GMT -0300, ntp sync)
> Vinicius Pavanelli Vianna
> Wexperts Internet Solutions
> Diretor
> Fone: +55 16 625 2133
> URL: http://www.wexperts.com.br