Hi There, Pardon me for long email. Actually I faced a DOS attack in a university setup and want to get help to avoid it in future. I am using squid following version squid -v Squid Cache: Version 3.4.3 configure options: '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=65535' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' One day I got following error in squid cache log ; mention that after every 4 to 5 minutes the error appears and squid child process crashed. 2014/05/23 14:42:55 kid1| assertion failed: store.cc:915: "store_status == STORE_PENDING" 2014/05/23 14:45:39 kid1| assertion failed: store.cc:915: "store_status == STORE_PENDING" 2014/05/23 14:49:47 kid1| assertion failed: store.cc:915: "store_status == STORE_PENDING" 2014/05/23 14:53:55 kid1| assertion failed: store.cc:915: "store_status == STORE_PENDING" .... and so on The system log is showing as below: May 23 14:42:56 proxy1 squid[3502]: Squid Parent: (squid-1) process 18622 exited due to signal 6 with status 0 May 23 14:42:59 proxy1 squid[3502]: Squid Parent: (squid-1) process 18678 started May 23 14:45:40 proxy1 squid[3502]: Squid Parent: (squid-1) process 18678 exited due to signal 6 with status 0 May 23 14:45:43 proxy1 squid[3502]: Squid Parent: (squid-1) process 18734 started May 23 14:49:48 proxy1 squid[3502]: Squid Parent: (squid-1) process 18734 exited due to signal 6 with status 0 May 23 14:49:51 proxy1 squid[3502]: Squid Parent: (squid-1) process 18794 started May 23 14:53:56 proxy1 squid[3502]: Squid Parent: (squid-1) process 18794 exited due to signal 6 with status 0 May 23 14:53:59 proxy1 squid[3502]: Squid Parent: (squid-1) process 18855 started ..... and so on. After a day of struggle I denied some IP subnet from accessing the squid cache and the issue of this assertion failed is resolved. In this regard apparently it seems that some denial of service attack is executed. But I from access log not been able to point out who could be the culprit of that and further what query made him possible for exploiting this vulnerability of the latest version of squid 3.4.3. Please help me in mitigating so that the future attack of such kind can be immediately blocked or relevant patched to be added to squid. Thanks for your support in advance. Farooq Bhatti --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
