Search squid archive

Re: TCP Flooding attack and DNS Poisioning attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 15/04/11 02:05, squid@xxxxxxxxxxxxxxxxxxxxxxx wrote:
Good day,
Thanks all for concern. The network topology is as follow:
Workstations are installed with Windows 7 Pro with spyware terminator with
integrated ClamAV all link to a Cisco 2950 switch and a multihome server
with Windows 7 Ultimate with ESET AV and Squid has one NIC connected to
the Cisco switch for LAN connection and the other to internet through
broadband device. Windows 7 on the server is used to share the internet
connection and the workstation browsers are configure to use server IP and
port 3128.
Thanks for your assistance,
regards,
Yomi


Thanks. A couple of things are in effect here and come to mind as possible reasons for the warnings.

Firstly is the low (2048) FD limit on Windows. We have not been able to avoid that. ESET may simply be detecting the client traffic reaching or passing that limit. If so its not so much a security issue as a resource overload issue. The traffic bottenecks behind Squid so client get a crap experience but the Internet is saved from anything they try.


The other idea depends on whether you have ClamAV integrated to scan the Squid traffic? ClamAV with Squid-2 has to use a redirector. This forces up to *three* requests processed by Squid to fetch any new object. The first one from the client to kicks off a ClamAV scan (getting a 3xx back from ClamAV redirector). Then the ClamAV fetch to get content for scanning. Then the followup client request to get the scanned content from ClamAV.

DNS I'm not so sure of. Squid should not be making a huge amount of DNS requests. It could be your clients making a great many requests of Squid. If ESET provides which client IPs are the suspect ones look through the Squid access.log and cache.log to see what those are doing. Your configuration can affect DNS load in bad ways though. For example using the dst ACL raises DNS load by an extra lookup per ACL test in 2.7.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.6


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux