477.txt

来自「This is the snapshot of Snot Latest Rule」· 文本 代码 · 共 52 行

Rule:

--
Sid:
477

--
Summary:
This event is generated when a network host generates an ICMP source quench datagram.

--
Impact:
ICMP source quench message are generated by gateway devices that no longer have the buffer space needed to queue datagrams for output to the next route. This could be an indication of a routing problem, network capacity problem, or ongoing Denial of Service attack.

--
Detailed Information:
ICMP source quench messasges are generated when a gateway device runs out of buffer space to process incoming network traffic.  This is an informational message that is generated in an attempt to inform the remote host generating the traffic to limit the speed at which it is sending network traffic to the remote host.

--
Attack Scenarios:
Denial of Service.  Attackers could potenially use ICMP source quench datagrams to rate limit a remote host that listens to unsolicited ICMP source quench datagrams.   

--
Ease of Attack:
Numerous tools and scripts can generate this type of datagram.

--
False Positives:
Legitimate source quench datagrams will trigger this rule.

--
False Negatives:
None known

--
Corrective Action:
Use ingress filtering to block incoming ICMP source quench datagrams.

--
Contributors:
Original rule writer unknown
Sourcefire Vulnerability Research Team
Matthew Watchinski (matt.watchinski@sourcefire.com)

--
Additional References:

OSVDB:
http://www.osvdb.org/15618

--