Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP Source Quench - Can it be some flood attack?

From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Fri, 8 Sep 2000 17:31:56 -0400
The purpose of an ICMP source quench is to convey to one machine that the receiving host cannot process more data at 
this time and it should slow down until the host is capable of handling more. I wrote on this on my Theories in DoS 
paper and wrote a script for it.

www.antioffline.com/TID/ Theories in DoS
www.antioffline.com/TID/tidcmp.c
http://packetstorm.securify.com/0006-exploits/tidcmp.c (mirror)

Its a lame attack and can be blocked easily by not allowing any ICMP source quench messages in.

J. Oquendo // sil

------Original Message------
From: Vinicius Vianna <ds () WEXPERTS COM BR>
To: INCIDENTS () SECURITYFOCUS COM
Sent: September 8, 2000 6:32:35 PM GMT
Subject: ICMP Source Quench - Can it be some flood attack?


Last night i received some snort alerts that my machine was receiving some ICMP Source Quench, after some research i 
find out this icmp message is sent when a host cannot process data due to a overload or something else, but as i 
received this icmp messages in two IPs, the normal ip that is used to send data, and a other IP, used only to people 
access some web pages can this be some flood attack to slow down or flood a machine?

Thanks in advance

Snort syslog format file:
09/06-22:55:21.306503  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:55:21.315022  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.422982  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.429067  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.437629  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.440503  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.477759  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.480583  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.500551  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.526330  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.529171  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.531157  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.247
09/06-22:59:43.534927  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.546433  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.550941  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.559408  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.631409  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.652404  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.670846  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.679427  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.682211  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
09/06-22:59:43.687902  [**] PING-ICMP Source Quench [**] 200.210.59.73 -> 200.210.49.248
(time in GMT -0300, ntp sync)
Vinicius Pavanelli Vianna
Wexperts Internet Solutions
Diretor
Fone: +55 16 625 2133
URL: http://www.wexperts.com.br

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup
Previous By Date Next
Previous By Thread Next

Current thread: