Security Incidents mailing list archives

Re: ICMP Source Quench - Can it be some flood attack?

From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Fri, 8 Sep 2000 17:38:24 -0400

On Fri, 8 Sep 2000, Vinicius Vianna wrote:

Last night i received some snort alerts that my machine was receiving
some ICMP Source Quench


[snip]

...but as i received this icmp messages in two IPs, the
normal ip that is used to send data, and a other IP, used only to
people access some web pages can this be some flood attack to slow
down or flood a machine?


can ICMP source quenches be used as an effective DoS? yes. look at tcpslow
from Dug Song, which uses ICMP_source_quench's to slow down a host. you
can flood the sender easily and cause them to relent in sending traffic.
it's just an abuse of the "hey, slow down" mechanisms in IP. if you get
told to slow it down too much, you may just stop.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

Current thread:

ICMP Source Quench - Can it be some flood attack? Vinicius Vianna (Sep 08)
- Re: ICMP Source Quench - Can it be some flood attack? Jose Nazario (Sep 12)
- Re: ICMP Source Quench - Can it be some flood attack? Mixter (Sep 12)
- <Possible follow-ups>
- Re: ICMP Source Quench - Can it be some flood attack? J. Oquendo (Sep 12)