fre 2007-02-23 klockan 19:07 +0000 skrev Paul: > I recently found internet access very very slow on my network, and a > little investigation showed up a lot of network activity on a machine I > keep in the DMZ. This Suse 10 machine hosts a SSHD, Apache2 server and > Squid/Dansguardian.The access.log for squid was full of lines like : > > 1172143803.288 796 127.0.0.1 TCP_MISS/302 498 GET > http://ad.bannerconnect.net/imp? - DIRECT/208.67.67.11 - > 1172143803.352 287 127.0.0.1 TCP_MISS/200 1283 GET > http://media.fastclick.net/w/get.media? - > DIRECT/63.215.202.application/x-javascript Looks like someone found a way to bounce via your server using it as an open proxy.. exactly how is unclear from these logs alone but it seems there is some kind of proxy on your server allowing an indirect connection to Squid. Is this a normal proxy, or a transparently intercepting proxy? What ports is listening on the server? What ports is allowed in via the firewall? Any firewall NAT rules remapping ports? (i.e. transparent interception of port 80 traffic to a different port) I do not think you are being part of a DDoS, but rather that people abuse your server as an open proxy bypassing filters of their own network or hiding their identity... Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel