Security Incidents mailing list archives
Re: ICMP Source Quench - Can it be some flood attack?
From: Mixter <mixter () 2XS CO IL>
Date: Sat, 9 Sep 2000 17:27:17 +0200
According to the logs, it looks like it's coming from your own router. Source quench is used to temporarily decrease the amount of data transferred, when a router can't handle the network load, for example... you should try to find out if that's the case, if you have line problems, etc. The problem is that this could also very well be spoofed as coming from your router, as source quench could naturally be used as DoS, by someone who spoofs as your router to cut down your bandwidth. On Fri, 8 Sep 2000, Vinicius Vianna wrote:
Last night i received some snort alerts that my machine was receiving some ICMP Source Quench, after some research i find out this icmp message is sent when a host cannot process data due to a overload or something else, but as i received this icmp messages in two IPs, the normal ip that is used to send data, and a other IP, used only to people access some web pages can this be some flood attack to slow down or flood a machine? Thanks in advance Snort syslog format file: 09/06-22:55:21.306503 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:55:21.315022 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.422982 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.429067 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.437629 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.440503 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.477759 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.480583 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.500551 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.526330 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.529171 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.531157 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.534927 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.546433 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.550941 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.559408 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.631409 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.652404 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.670846 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.679427 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.682211 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.687902 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 (time in GMT -0300, ntp sync) Vinicius Pavanelli Vianna Wexperts Internet Solutions Diretor Fone: +55 16 625 2133 URL: http://www.wexperts.com.br
Current thread:
- ICMP Source Quench - Can it be some flood attack? Vinicius Vianna (Sep 08)
- Re: ICMP Source Quench - Can it be some flood attack? Jose Nazario (Sep 12)
- Re: ICMP Source Quench - Can it be some flood attack? Mixter (Sep 12)
- <Possible follow-ups>
- Re: ICMP Source Quench - Can it be some flood attack? J. Oquendo (Sep 12)