On 12/04/11 15:51, Eliezer Croitoru wrote:
On 12/04/2011 06:15, Amos Jeffries wrote:
On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote:
On 11/04/2011 20:53, squid@xxxxxxxxxxxxxxxxxxxxxxx wrote:
Good day,
Some times when i check my ESET Antivirus LogFile, it shows that some
activities of clients in my network are attacking my network especially
squid port (3128) with TCP Flooding or DNS Poisioning. I check the
internet for there meaning and found out that they are not good
activities
on any network.
What?
it's nice t know that you do have tcp flooding.. or what so..
but the problem is that the AV is not providing any details on how it
is getting this conclusion.
i would start with a simple wireshark on this specific machine that
you are getting the warnings
in case you do have some problems on your network setup.
by the way proxy traffic can indeed in a way be misunderstood as TCP
flood and DNS spoofer.
NOTE: Usually TCP flooding is a warning thrown up by the kernel when
TCP has a lot of new connections made. A busy proxy will easily hit
the default thresholds for this.
TCP offers a feature called "SYN cookies" which can help with this
problem.
see
http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html
so it's almost sure that the same mechanism that works on linux kernel..
is been used on the eset..
the thing is that we are talking about the AV that sits on other machine..
so, it's seems kind of odd for the AV\FW on other machine to actually be
100% reliable on the analysis in this case?
Yes. Is it getting a copy of all the packets? either by port mirroring
or being a bridge?
It could be checking the same things, but without the benefits of
tuning the Squid box has.
How its getting the poisoning attack conclusion baffles me a bit. Though
working blind as to how the EV integrates with the network that is not hard.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.6
