Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: source quench icmp and advice

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 24 Jul 2003 22:29:23 -0400
At 09:28 AM 7/25/2003 +0800, cc wrote:

I've been getting quite a few of these icmp packets
from a particular host, and I'm a little perturbed
about this.

I've read about what a source quench packet does
so I'm worried whether or not my routing system
is screwed up or if the packet source IP is
DoS'ing me.
They certainly aren't going to DoS you that way. If they are only coming from one IP address, all they will do is quench any communications that you are sending to THEM and not anywhere else. Hardly a DoS unless the source IP is someplace important (ie: someone flooding you with spoofed source quenches from www.google.com).
My guess is that the source of the messages you are getting is actualy a victim network being flooded to death by a DDoS attack of some sort. Your IP address may be one of the many spoofed addresses the attackers are using. The target network then generates some source quench packets to try to stop the flood, however the flood is probably coming from elsewhere. 




Also, I'd like to get some advice.  On what
system should snort be used?   I'm currently
testing it on my company's firewall.  Is that
the right place?  I figured that since that's
the access point from the Net to the LAN,
it would be a right place to check what
items of interest are hitting my firewall.


Really there is no universal "best place".. it all depends on what YOU need.

In general the common spots are:
1) In front of your firewall. Sees everything going in/out, but is noisy. Also if you are NATed it can be tricky to figure out which local machine is involved.
2) Behind your firewall. Quieter, and only sees what makes it past the firewall. Doesn't observe attacks on the firewall, and doesn't observe unsuccessful recon probes that the firewall kills. Usually at this point any NATing has already occurred, so figuring out the local host is easier.
3) In your DMZ. Great for a custom-tweaked ruleset that aggressively monitors your DMZ. Since not all of the traffic in the network will reach here, traffic loading is lighter, allowing for more detailed rulesets.
4) On a mirror port of your LAN switch. Great for watching for "inside" attacks (disgruntled employees, etc). High traffic volume and speed may limit the complexity of the ruleset you can use.
Note: depending on how your network is set up, there may not be the possibility of #2, other than by implementing both 3 and 4 (ie: if your firewall is a router that separates out your DMZ, there may be no single "behind the firewall" point) 







-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: