Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] ICMP

from [Garth Grayson] Network Security [Permanent Link]
Subject: [Snort-sigs] ICMP
Date: Thu, 5 May 2005 16:38:37 -0500 

What to do when an ICMP Source Quench is received


We inform TCP or any other protocol at that layer when ICMP receives a Source 
Quench. The basic action of our TCP implementations is to reduce the amount of 
data outstanding on connections to the host mentioned in the Source Quench. 
This control is applied by causing the sending TCP to behave as if the distant 
host's window size has been reduced. Our first implementation was simplistic 
but effective; once a Source Quench has been received our TCP behaves as if the 
window size is zero whenever the window isn't empty. This behavior continues 
until some number (at present 10) of ACKs have been received, at that time TCP 
returns to normal operation.³ David Mills of Linkabit Corporation has since 
implemented a similar but more elaborate throttle on the count of outstanding 
packets in his DCN systems. The additional sophistication seems to produce a 
modest gain in throughput, but we have not made formal tests. Both 
implementations effectively prevent congestion collapse in switching nodes. 

Source Quench thus has the effect of limiting the connection to a limited 
number (perhaps one) of outstanding messages. Thus, communication can continue 
but at a reduced rate, that is exactly the effect desired. 

This scheme has the important property that Source Quench doesn't inhibit the 
sending of acknowledges or retransmissions. Implementations of Source Quench 
entirely within the IP layer are usually unsuccessful because IP lacks enough 
information to throttle a connection properly. Holding back acknowledges tends 
to produce retransmissions and thus unnecessary traffic. Holding back 
retransmissions may cause loss of a connection by a retransmission timeout. Our 
scheme will keep connections alive under severe overload but at reduced 
bandwidth per connection. 

Other protocols at the same layer as TCP should also be responsive to Source 
Quench. In each case we would suggest that new traffic should be throttled but 
acknowledges should be treated normally. The only serious problem comes from 
the User Datagram Protocol, not normally a major traffic generator. We have not 
implemented any throttling in these protocols as yet; all are passed Source 
Quench messages by ICMP but ignore them. 

 

Garth Grayson
Network Administrator    
Caledonian Group Services Ltd .
Grand Cayman, Cayman Islands

( (345) 949-0050 (Main)
( (345) 914-4881 (Direct)
( (345) 949-8062 (Fax)

* garth.grayson@caledonian.com
& www.caledonian.com <http://www.caledonian.com/>

GIF image

GIF image

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  Re: [Snort-sigs] Possible improvements to pop3 rules., pr00f
Previous by Thread:  [Snort-sigs] Rule 2480 : byte_jump doesn't make sense., Erik de Castro Lopo
Next by Thread:  Re: [Snort-sigs] ICMP, Matt Kettler
Indexes:  [Date] [Thread] [Top] [All Lists]