Re: TCP Flooding attack and DNS Poisioning attack

[Eliezer Croitoru <eliezer@xxxxxxxxxxxxxxxxxxxxx>]

On 12/04/2011 08:37, Amos Jeffries wrote:

> On 12/04/11 15:51, Eliezer Croitoru wrote:
> > On 12/04/2011 06:15, Amos Jeffries wrote:
> >
> > > On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote:
> > > > On 11/04/2011 20:53, squid@xxxxxxxxxxxxxxxxxxxxxxx wrote:
> > > >
> > > > > Good day,
> > > > > Some times when i check my ESET Antivirus LogFile, it shows that some
> > > > > activities of clients in my network are attacking my network 
> > > > > especially
> > > > > squid port (3128) with TCP Flooding or DNS Poisioning. I check the
> > > > > internet for there meaning and found out that they are not good
> > > > > activities
> > > > > on any network.
> > > > What?
> > > > it's nice t know that you do have tcp flooding.. or what so..
> > > > but the problem is that the AV is not providing any details on how it
> > > > is getting this conclusion.
> > > > i would start with a simple wireshark on this specific machine that
> > > > you are getting the warnings
> > > > in case you do have some problems on your network setup.
> > > > by the way proxy traffic can indeed in a way be misunderstood as TCP
> > > > flood and DNS spoofer.
> > >
> > > NOTE: Usually TCP flooding is a warning thrown up by the kernel when
> > > TCP has a lot of new connections made. A busy proxy will easily hit
> > > the default thresholds for this.
> > >
> > > TCP offers a feature called "SYN cookies" which can help with this
> > > problem.
> > >
> > > see
> > > http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html 
> > so it's almost sure that the same mechanism that works on linux kernel..
> > is been used on the eset..
> > the thing is that we are talking about the AV that sits on other 
> > machine..
> > so, it's seems kind of odd for the AV\FW on other machine to actually be
> > 100% reliable on the analysis in this case?
>
> Yes. Is it getting a copy of all the packets? either by port mirroring 
> or being a bridge?
>  It could be checking the same things, but without the benefits of 
> tuning the Squid box has.
>
> How its getting the poisoning attack conclusion baffles me a bit. 
> Though working blind as to how the EV integrates with the network that 
> is not hard.
>
> Amos
I work with eset AV and FW systems and as far as i know they dont have 
IDS systems so it seems to me a malfunctioning or flooded switch
cause most of the IDS systems knows how to understand network 
streams.(or at least suppose to)
i really would like to know the network topology in this place :)

Eliezer