Rule:

--

Sid:
477

--

Summary:
This event is generated when a network host generates an ICMP source quench
datagram.

--

Impact:
ICMP source quench message are generated by gateway devices that no longer
have the buffer space needed to queue datagrams for output to the next route.
This could be an indication of a routing problem, network capacity problem, 
or on going Denial of Service attack.

--

Detailed Information:
ICMP source quench messasges are generated when a gateway device runs out
of buffer space to process incoming network traffic.  This is an informational
message that is generated in an attempt to inform the remote host generating
the traffic to limit the speed at which it is sending network traffic to
the remote host.

--

Attack Scenarios:
Denial of Service.  Attackers could potenially use ICMP source quench datagrams
to rate limit a remote host that listens to unsolicited ICMP source quench 
datagrams.   

--

Ease of Attack:
Numerous tools and scripts can generate this type of datagram.

--

False Positives:
Legitimate source quench datagrams will trigger this rule.

--

False Negatives:
None known
--

Corrective Action:
Use ingress filtering to block incoming ICMP source quench datagrams.

--

Contributors:
Original rule writer unknown
Sourcefire Research Team
Matthew Watchinski (matt.watchinski@sourcefire.com)

--

Additional References:
http://www.whitehats.com/info/IDS238


--
