Good day, Thanks all for concern. The network topology is as follow: Workstations are installed with Windows 7 Pro with spyware terminator with integrated ClamAV all link to a Cisco 2950 switch and a multihome server with Windows 7 Ultimate with ESET AV and Squid has one NIC connected to the Cisco switch for LAN connection and the other to internet through broadband device. Windows 7 on the server is used to share the internet connection and the workstation browsers are configure to use server IP and port 3128. Thanks for your assistance, regards, Yomi > On 12/04/2011 08:37, Amos Jeffries wrote: > >> On 12/04/11 15:51, Eliezer Croitoru wrote: >>> On 12/04/2011 06:15, Amos Jeffries wrote: >>> >>>> On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote: >>>>> On 11/04/2011 20:53, squid@xxxxxxxxxxxxxxxxxxxxxxx wrote: >>>>> >>>>>> Good day, >>>>>> Some times when i check my ESET Antivirus LogFile, it shows that >>>>>> some >>>>>> activities of clients in my network are attacking my network >>>>>> especially >>>>>> squid port (3128) with TCP Flooding or DNS Poisioning. I check the >>>>>> internet for there meaning and found out that they are not good >>>>>> activities >>>>>> on any network. >>>>> What? >>>>> it's nice t know that you do have tcp flooding.. or what so.. >>>>> but the problem is that the AV is not providing any details on how it >>>>> is getting this conclusion. >>>>> i would start with a simple wireshark on this specific machine that >>>>> you are getting the warnings >>>>> in case you do have some problems on your network setup. >>>>> by the way proxy traffic can indeed in a way be misunderstood as TCP >>>>> flood and DNS spoofer. >>>> >>>> NOTE: Usually TCP flooding is a warning thrown up by the kernel when >>>> TCP has a lot of new connections made. A busy proxy will easily hit >>>> the default thresholds for this. >>>> >>>> TCP offers a feature called "SYN cookies" which can help with this >>>> problem. >>>> >>>> see >>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html >>>> >>>> >>> so it's almost sure that the same mechanism that works on linux >>> kernel.. >>> is been used on the eset.. >>> the thing is that we are talking about the AV that sits on other >>> machine.. >>> so, it's seems kind of odd for the AV\FW on other machine to actually >>> be >>> 100% reliable on the analysis in this case? >>> >> >> Yes. Is it getting a copy of all the packets? either by port mirroring >> or being a bridge? >> It could be checking the same things, but without the benefits of >> tuning the Squid box has. >> >> How its getting the poisoning attack conclusion baffles me a bit. >> Though working blind as to how the EV integrates with the network that >> is not hard. >> >> Amos > I work with eset AV and FW systems and as far as i know they dont have > IDS systems so it seems to me a malfunctioning or flooded switch > cause most of the IDS systems knows how to understand network > streams.(or at least suppose to) > i really would like to know the network topology in this place :) > > Eliezer > >
