On 12/04/2011 08:37, Amos Jeffries wrote:
On 12/04/11 15:51, Eliezer Croitoru wrote:
On 12/04/2011 06:15, Amos Jeffries wrote:
On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote:
On 11/04/2011 20:53, squid@xxxxxxxxxxxxxxxxxxxxxxx wrote:
Good day,
Some times when i check my ESET Antivirus LogFile, it shows that some
activities of clients in my network are attacking my network
especially
squid port (3128) with TCP Flooding or DNS Poisioning. I check the
internet for there meaning and found out that they are not good
activities
on any network.
What?
it's nice t know that you do have tcp flooding.. or what so..
but the problem is that the AV is not providing any details on how it
is getting this conclusion.
i would start with a simple wireshark on this specific machine that
you are getting the warnings
in case you do have some problems on your network setup.
by the way proxy traffic can indeed in a way be misunderstood as TCP
flood and DNS spoofer.
NOTE: Usually TCP flooding is a warning thrown up by the kernel when
TCP has a lot of new connections made. A busy proxy will easily hit
the default thresholds for this.
TCP offers a feature called "SYN cookies" which can help with this
problem.
see
http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html
so it's almost sure that the same mechanism that works on linux kernel..
is been used on the eset..
the thing is that we are talking about the AV that sits on other
machine..
so, it's seems kind of odd for the AV\FW on other machine to actually be
100% reliable on the analysis in this case?
Yes. Is it getting a copy of all the packets? either by port mirroring
or being a bridge?
It could be checking the same things, but without the benefits of
tuning the Squid box has.
How its getting the poisoning attack conclusion baffles me a bit.
Though working blind as to how the EV integrates with the network that
is not hard.
Amos
I work with eset AV and FW systems and as far as i know they dont have
IDS systems so it seems to me a malfunctioning or flooded switch
cause most of the IDS systems knows how to understand network
streams.(or at least suppose to)
i really would like to know the network topology in this place :)
Eliezer