Snort mailing list archives

RE: ICMP Source Quench

From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Wed, 4 Sep 2002 10:40:17 -0400

FYI ... this is also noted specifically in the book "Intrusion Signatures
and Analysis".

-----Original Message-----
From: Chris Keladis [mailto:Chris.Keladis () cmc optus net au]
Sent: Wednesday, August 28, 2002 9:15 AM
To: 'snort-users-request () lists sourceforge net'
Cc: Ofir Arkin; 'McCammon, Keith'; 'Wirth, Jeff'; 'Sergei Balyakin'
Subject: Re: [Snort-users] ICMP Source Quench


Ofir Arkin wrote:

With the next example an HP Open View system, based on HPUX B.11.0

operating system is probing the

172.18.2.x network in order to discover the network topology. Since this

operation was done without

any rate limiting of the sending of packets, at a certain point the HPUX

machine has reached the point

it is no longer able to process some incoming packets. Here is one of the

ICMP Source Quench error

messages it sent:


Just to add some additional information w.r.t HP/UX.

HP/UX prior to 11.x has a bug (it's documented in itrc somewhere) where 
due to some design issue (i forgot the details off the top of my head) 
caused it to generate quite a number of ICMP Source Quench's.

I remember Snort going nuts reporting Source Quench's, before i got our 
guys to install the patches, and i've hardly seen one since.

There are patches for all supported versions of HP/UX, and i beleive 
this is fixed in HP/UX 11.x (i vaguely remember it had something do with 
the streams driver).

Email me privately and i can dig up specifics if required..




Cheers,

Chris.



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP Source Quench Sergei Balyakin (Aug 27)
- <Possible follow-ups>
- RE: ICMP Source Quench Dan Fiorito (Aug 27)
- RE: ICMP Source Quench McCammon, Keith (Aug 27)
- RE: ICMP Source Quench Wirth, Jeff (Aug 27)
- RE: ICMP Source Quench McCammon, Keith (Aug 27)
  - RE: ICMP Source Quench Ofir Arkin (Aug 28)
    - Re: ICMP Source Quench Chris Keladis (Aug 28)
    - RE: ICMP Source Quench Ofir Arkin (Aug 28)
- RE: ICMP Source Quench Hicks, John (Sep 04)