Security Incidents mailing list archives
Re: ICMP Source Quench - Can it be some flood attack?
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Fri, 8 Sep 2000 17:38:24 -0400
On Fri, 8 Sep 2000, Vinicius Vianna wrote:
Last night i received some snort alerts that my machine was receiving some ICMP Source Quench
[snip]
...but as i received this icmp messages in two IPs, the normal ip that is used to send data, and a other IP, used only to people access some web pages can this be some flood attack to slow down or flood a machine?
can ICMP source quenches be used as an effective DoS? yes. look at tcpslow from Dug Song, which uses ICMP_source_quench's to slow down a host. you can flood the sender easily and cause them to relent in sending traffic. it's just an abuse of the "hey, slow down" mechanisms in IP. if you get told to slow it down too much, you may just stop. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- ICMP Source Quench - Can it be some flood attack? Vinicius Vianna (Sep 08)
- Re: ICMP Source Quench - Can it be some flood attack? Jose Nazario (Sep 12)
- Re: ICMP Source Quench - Can it be some flood attack? Mixter (Sep 12)
- <Possible follow-ups>
- Re: ICMP Source Quench - Can it be some flood attack? J. Oquendo (Sep 12)