Snort mailing list archives
Re: source quench icmp and advice
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 24 Jul 2003 22:29:23 -0400
At 09:28 AM 7/25/2003 +0800, cc wrote:
I've been getting quite a few of these icmp packets from a particular host, and I'm a little perturbed about this. I've read about what a source quench packet does so I'm worried whether or not my routing system is screwed up or if the packet source IP is DoS'ing me.
They certainly aren't going to DoS you that way. If they are only coming from one IP address, all they will do is quench any communications that you are sending to THEM and not anywhere else. Hardly a DoS unless the source IP is someplace important (ie: someone flooding you with spoofed source quenches from www.google.com).
My guess is that the source of the messages you are getting is actualy a victim network being flooded to death by a DDoS attack of some sort. Your IP address may be one of the many spoofed addresses the attackers are using. The target network then generates some source quench packets to try to stop the flood, however the flood is probably coming from elsewhere.
Also, I'd like to get some advice. On what system should snort be used? I'm currently testing it on my company's firewall. Is that the right place? I figured that since that's the access point from the Net to the LAN, it would be a right place to check what items of interest are hitting my firewall.
Really there is no universal "best place".. it all depends on what YOU need. In general the common spots are:1) In front of your firewall. Sees everything going in/out, but is noisy. Also if you are NATed it can be tricky to figure out which local machine is involved.
2) Behind your firewall. Quieter, and only sees what makes it past the firewall. Doesn't observe attacks on the firewall, and doesn't observe unsuccessful recon probes that the firewall kills. Usually at this point any NATing has already occurred, so figuring out the local host is easier.
3) In your DMZ. Great for a custom-tweaked ruleset that aggressively monitors your DMZ. Since not all of the traffic in the network will reach here, traffic loading is lighter, allowing for more detailed rulesets.
4) On a mirror port of your LAN switch. Great for watching for "inside" attacks (disgruntled employees, etc). High traffic volume and speed may limit the complexity of the ruleset you can use.
Note: depending on how your network is set up, there may not be the possibility of #2, other than by implementing both 3 and 4 (ie: if your firewall is a router that separates out your DMZ, there may be no single "behind the firewall" point)
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- source quench icmp and advice cc (Jul 24)
- Re: source quench icmp and advice Matt Kettler (Jul 24)