Security Incidents mailing list archives
Re: ICMP Source Quench - Can it be some flood attack?
From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Fri, 8 Sep 2000 17:31:56 -0400
The purpose of an ICMP source quench is to convey to one machine that the receiving host cannot process more data at this time and it should slow down until the host is capable of handling more. I wrote on this on my Theories in DoS paper and wrote a script for it. www.antioffline.com/TID/ Theories in DoS www.antioffline.com/TID/tidcmp.c http://packetstorm.securify.com/0006-exploits/tidcmp.c (mirror) Its a lame attack and can be blocked easily by not allowing any ICMP source quench messages in. J. Oquendo // sil ------Original Message------ From: Vinicius Vianna <ds () WEXPERTS COM BR> To: INCIDENTS () SECURITYFOCUS COM Sent: September 8, 2000 6:32:35 PM GMT Subject: ICMP Source Quench - Can it be some flood attack? Last night i received some snort alerts that my machine was receiving some ICMP Source Quench, after some research i find out this icmp message is sent when a host cannot process data due to a overload or something else, but as i received this icmp messages in two IPs, the normal ip that is used to send data, and a other IP, used only to people access some web pages can this be some flood attack to slow down or flood a machine? Thanks in advance Snort syslog format file: 09/06-22:55:21.306503 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:55:21.315022 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.422982 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.429067 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.437629 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.440503 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.477759 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.480583 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.500551 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.526330 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.529171 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.531157 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247 09/06-22:59:43.534927 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.546433 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.550941 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.559408 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.631409 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.652404 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.670846 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.679427 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.682211 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 09/06-22:59:43.687902 [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248 (time in GMT -0300, ntp sync) Vinicius Pavanelli Vianna Wexperts Internet Solutions Diretor Fone: +55 16 625 2133 URL: http://www.wexperts.com.br ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- ICMP Source Quench - Can it be some flood attack? Vinicius Vianna (Sep 08)
- Re: ICMP Source Quench - Can it be some flood attack? Jose Nazario (Sep 12)
- Re: ICMP Source Quench - Can it be some flood attack? Mixter (Sep 12)
- <Possible follow-ups>
- Re: ICMP Source Quench - Can it be some flood attack? J. Oquendo (Sep 12)