Rule:

--
Sid:
448

--
Summary:
This event is generated when an ICMP "Source Quench" message is 
generated that has a non-zero ICMP code.  

--
Impact:
Informational.  This may indicate that the ICMP message has been 
crafted.

--
Detailed Information:
An ICMP "Source Quench" message is issued by a network device that 
cannot handle the current volume of traffic.  The ICMP code value for 
this message should be 0.  If a non-zero ICMP code is observed, it may 
be an indication that the packet was crafted with an invalid value.

ICMP Source Quench messages may be normally sent by either a gateway or 
a host as a congestion control mechanism. A gateway would send them if 
it is running out of buffer space (needed to queue datagrams for output 
to the next hop) or by a host that is receiving datagrams too fast to 
process. Maliciously crafted ICMP Source Quench Messages may be used to 
force a remote host to slow down its transmission rate and causing a 
Denial of Service.

--
Affected Systems:
This traffic should have no adverse impact.

--
Attack Scenarios:
An attacker may craft an ICMP "Source Quench" message with an invalid 
ICMP code.  A single packet itself is not harmful, but the unusual ICMP 
code my indicate that this packet was abnormally generated.

--
Ease of Attack:
Simple. There are many packages available to generate ICMP messages.

--
False Positives:
Although rare, it is possible to observe an ICMP "Source Quench" message
with a non-zero type code generated by software that does not conform to standards.

--
False Negatives:
None Known.

--
Corrective Action:
If a routing device in your network is generating this message, investigate why it does not have a standard ICMP code of 0.

--
Contributors:
Original rule writer unknown.
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
Additional information by Jose Hernandez <jrseal76@hotmail.com>

--
Additional References:

--
