On 12/04/2011 06:15, Amos Jeffries wrote:
On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote:
On 11/04/2011 20:53, squid@xxxxxxxxxxxxxxxxxxxxxxx wrote:
Good day,
Some times when i check my ESET Antivirus LogFile, it shows that some
activities of clients in my network are attacking my network especially
squid port (3128) with TCP Flooding or DNS Poisioning. I check the
internet for there meaning and found out that they are not good
activities
on any network.
What?
it's nice t know that you do have tcp flooding.. or what so..
but the problem is that the AV is not providing any details on how it
is getting this conclusion.
i would start with a simple wireshark on this specific machine that
you are getting the warnings
in case you do have some problems on your network setup.
by the way proxy traffic can indeed in a way be misunderstood as TCP
flood and DNS spoofer.
NOTE: Usually TCP flooding is a warning thrown up by the kernel when
TCP has a lot of new connections made. A busy proxy will easily hit
the default thresholds for this.
TCP offers a feature called "SYN cookies" which can help with this
problem.
see
http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html
so it's almost sure that the same mechanism that works on linux kernel..
is been used on the eset..
the thing is that we are talking about the AV that sits on other machine..
so, it's seems kind of odd for the AV\FW on other machine to actually be
100% reliable on the analysis in this case?
Eliezer
Is there any configuration option(s) in squid that i can use to
drop/block
such TCP Flooding and DNS Poisioning traffic?
Any suggestion?
Squid is a server.. it wont react unless it requested to do things.
this is from my experience so unless you have a bad squid setup that
can lead to open relay proxy..
i cant really thing of something.
if i dont know or understand something i would like to here about it.
There is a security vulnerability in the Squid DNS receiving for old
versions.
http://www.squid-cache.org/Advisories/SQUID-2010_1.txt
(NP: right now the advisory shows 2.x as vulnerable. 2.6.STABLE24+ and
2.7.STABLE8+ should be listed as safe. Fixing that now.)
Following the workaround indicated or using a fixed version fake DNS
packets will not be a big problem. Just a waste of some few CPU cycles.
Further protection can be added by firewalling the DNS responses
(coming from port 53 UDP or 953 TCP) unless they come from the system
configured resolver (/etc/resolv.conf). Checking that squid.conf does
not override the OS with dns_nameservers directive, if it does
exceptions will need to be added for those machines as well.
Amos
