Snort mailing list archives
RE: ICMP Source Quench
From: "Ofir Arkin" <ofir () sys-security com>
Date: Wed, 28 Aug 2002 13:16:24 +0100
Source Quench (ICMP Type 4) A. Router Behavior A.1 ICMP Source Quench error message issued by a Router If a router sends this message, it means that the router does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. It simply means that the router is congested. RFC 1812 specify that a router should not generate Source Quench error messages, but a router that does originate Source Quench error messages must be able to limit the rate at which they are generated. The RFC states the reasons for limiting the rate when generating ICMP error messages: - The consumption of network bandwidth on the reverse path - The burden on the Router's CPU and memory A.2 A router receiving an ICMP Source Quench error message When a router receives an ICMP Source Quench error message (which is directly aimed at the router) it may ignore the Source Quench error message. If the router decides not to ignore the ICMP Source Quench error message it needs to cut back the rate, which it is sending traffic to the destination system which sent this ICMP error message to the Router. B. Host Behavior B.1 A Host sending an ICMP Source Quench error message A destination host may send a Source Quench error message (it may be implemented) if it is approaching, or already reached, the point at which it is no longer able to process some of the incoming packets because it does not have the buffer space (or resources) to process them. The ICMP header code would be always zero. B.2 A Host receiving an ICMP Source Quench error message When a sending host receives an ICMP source quench error message from the destination Host it should throttle itself back for a period of time, and then gradually increase the transmission rate again. Source Quench error messages must be reported by the IP layer to the transport layer. The host should throttle itself back for a period of time, than gradually increase the transmission rate again. The TCP transport protocol must react to a source quench error messages by slowing the transmission rate on the connection. RFC 1122 recommends TCP to throttle back to its "slow start" transmission algorithm. With the next example an HP Open View system, based on HPUX B.11.0 operating system is probing the 172.18.2.x network in order to discover the network topology. Since this operation was done without any rate limiting of the sending of packets, at a certain point the HPUX machine has reached the point it is no longer able to process some incoming packets. Here is one of the ICMP Source Quench error messages it sent: 10:48:43.197728 eth0 < 172.18.2.5 > 172.18.2.201: icmp: source quench Offending pkt: 172.18.2.201 > 172.18.2.5: icmp: echo reply (DF) (ttl 255, id 0) (DF) (ttl 255, id 43363) 4500 0070 a963 4000 ff01 7536 ac12 0205 ac12 02c9 0400 fbff 0000 0000 4500 0054 0000 4000 ff01 1eb6 ac12 02c9 ac12 0205 0000 67dc 0761 081f 3b0b 4f4b 0006 fe46 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 Hope this helps Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA For more information: http://www.sys-security.com Copyright (c) Ofir Arkin & The Sys-Security Group 1999-2002, all rights reserved
Attachment:
source_quench.txt
Description:
Current thread:
- ICMP Source Quench Sergei Balyakin (Aug 27)
- <Possible follow-ups>
- RE: ICMP Source Quench Dan Fiorito (Aug 27)
- RE: ICMP Source Quench McCammon, Keith (Aug 27)
- RE: ICMP Source Quench Wirth, Jeff (Aug 27)
- RE: ICMP Source Quench McCammon, Keith (Aug 27)
- RE: ICMP Source Quench Ofir Arkin (Aug 28)
- Re: ICMP Source Quench Chris Keladis (Aug 28)
- RE: ICMP Source Quench Ofir Arkin (Aug 28)
- RE: ICMP Source Quench Ofir Arkin (Aug 28)
- RE: ICMP Source Quench Hicks, John (Sep 04)