Snort mailing list archives

RE: ICMP Source Quench

From: "Ofir Arkin" <ofir () sys-security com>
Date: Wed, 28 Aug 2002 14:23:50 +0100

The HPUX is only an example of observing this type of message in the
wild.
It is usually very rare to see this kind of messages.

Thanks for the additional info.

Cheers,
Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA  

-----Original Message-----
From: Chris Keladis [mailto:Chris.Keladis () cmc optus net au] 
Sent: 28 August 2002 14:15
To: 'snort-users-request () lists sourceforge net'
Cc: Ofir Arkin; 'McCammon, Keith'; 'Wirth, Jeff'; 'Sergei Balyakin'
Subject: Re: [Snort-users] ICMP Source Quench

Ofir Arkin wrote:

With the next example an HP Open View system, based on HPUX B.11.0

operating system is probing the

172.18.2.x network in order to discover the network topology. Since

this operation was done without

any rate limiting of the sending of packets, at a certain point the

HPUX machine has reached the point

it is no longer able to process some incoming packets. Here is one of

the ICMP Source Quench error

messages it sent:


Just to add some additional information w.r.t HP/UX.

HP/UX prior to 11.x has a bug (it's documented in itrc somewhere) where 
due to some design issue (i forgot the details off the top of my head) 
caused it to generate quite a number of ICMP Source Quench's.

I remember Snort going nuts reporting Source Quench's, before i got our 
guys to install the patches, and i've hardly seen one since.

There are patches for all supported versions of HP/UX, and i beleive 
this is fixed in HP/UX 11.x (i vaguely remember it had something do with

the streams driver).

Email me privately and i can dig up specifics if required..




Cheers,

Chris.




-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP Source Quench Sergei Balyakin (Aug 27)
- <Possible follow-ups>
- RE: ICMP Source Quench Dan Fiorito (Aug 27)
- RE: ICMP Source Quench McCammon, Keith (Aug 27)
- RE: ICMP Source Quench Wirth, Jeff (Aug 27)
- RE: ICMP Source Quench McCammon, Keith (Aug 27)
  - RE: ICMP Source Quench Ofir Arkin (Aug 28)
    - Re: ICMP Source Quench Chris Keladis (Aug 28)
    - RE: ICMP Source Quench Ofir Arkin (Aug 28)
- RE: ICMP Source Quench Hicks, John (Sep 04)