OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Scott Johnson (sjohnairlinksys.com)
Date: Thu Apr 05 2001 - 16:02:48 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Quoth agetchelkde.state.ky.us on Thu, Apr 05, 2001 at 11:32:30AM -0400:
    > Hi JB,
    > It's a good idea to block ICMP source quench packets at the
    > firewall, as they can be used as a somewhat effective DoS attack (depending
    > on the OS of the machine being attacked and how it handles these
    > notifications). Seeing that many of these alerts in such a short amount of
    > time (all coming from one host going too one host?) would definitely raise a
    > red flag. However, we've seen a good amount these being sent from remote
    > servers to our large proxy array for legitimate reasons (up to about 35 per
    > minute). Since the ICMP Source Quench notification is basically a remote
    > system telling your system 'Slow down! I can't process the data as fast as
    > you're sending it!', blocking these might result in packet loss.
    >

    An ICMP source quench should be discarded by the OS unless there is a
    valid IP header included in the message. TCP does the backoff, so IP has
    to know which stream to hand the ICMP message to, and TCP should be
    checking for valid sequence numbers. Now, in order for this to be an
    effective DOS, the attacker has to be able to provide this information,
    which means he needs access to the traffic he plans on disrputing. So
    while source quench can be used for DoS, it can't be used thus by just
    anyone.

    You said, Abe, that the effectiveness of such a DoS depends on the OS and
    how it handles source quench messages. Are you implying that some
    implementations don't check the sequence numbers and act appropriately
    (like ignoring sequence numbers already acked, or those invalid for the
    stream? Or that there may be some added logic in interpreting source
    quench at the TCP layer? At the IP layer, of course, there's always ICMP
    bandwidth limiting... 

    -- 
                                 Scott Johnson
                          System/Network Administrator
                                Airlink Systems

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users