Snort-alerts/ICMP-Source-Quench
ICMP Source Quench
Identification
| Id | 477 |
|---|---|
| Alert | ICMP Source Quench |
| Classification | bad-unknown |
Trigger
ICMP source quench messages are generated when a gateway device runs out of buffer space to process incoming network traffic. This is an informational message that is generated in an attempt to inform the remote host generating the traffic to limit the speed at which it is sending network traffic to the remote host.
Affected systems
All connected network gears.
Impact
ICMP source quench message are generated by gateway devices that no longer have the buffer space needed to queue datagrams for output to the next route. This could be an indication of a routing problem, network capacity problem, or ongoing Denial of Service attack.
False positives
Legitimate source quench datagrams will trigger this rule.
Scenario
Denial of Service. Attackers could potenially use ICMP source quench datagrams to rate limit a remote host that listens to unsolicited ICMP source quench datagrams.
Example
Corrective actions
Use ingress filtering to block incoming ICMP source quench datagrams.