Search squid archive

Re: Squid attack?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



fre 2007-02-23 klockan 19:07 +0000 skrev Paul:
> I recently found internet access very very slow on my network, and a
> little investigation showed up a lot of network activity on a machine I
> keep in the DMZ. This Suse 10 machine hosts a SSHD, Apache2 server and
> Squid/Dansguardian.The access.log for squid was full of lines like :
> 
> 1172143803.288 796 127.0.0.1 TCP_MISS/302 498 GET
> http://ad.bannerconnect.net/imp? - DIRECT/208.67.67.11 -
> 1172143803.352 287 127.0.0.1 TCP_MISS/200 1283 GET
> http://media.fastclick.net/w/get.media? -
> DIRECT/63.215.202.application/x-javascript

Looks like someone found a way to bounce via your server using it as an
open proxy.. exactly how is unclear from these logs alone but it seems
there is some kind of proxy on your server allowing an indirect
connection to Squid.

Is this a normal proxy, or a transparently intercepting proxy?

What ports is listening on the server?

What ports is allowed in via the firewall?

Any firewall NAT rules remapping ports? (i.e. transparent interception
of port 80 traffic to a different port)

I do not think you are being part of a DDoS, but rather that people
abuse your server as an open proxy bypassing filters of their own
network or hiding their identity...

Regards
Henrik

Attachment: signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux