Search squid archive

Re: source spoofing without tproxy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13/06/17 19:34, Matus UHLAR - fantomas wrote:
On 13/06/17 13:48, David Kewley wrote:
I want my clients to explicitly address squid as a proxy (not use tproxy), but have squid spoof the source addresses in the forwarded connection, so that further hops know the original source address from the IPv4 headers.

I could find no indication that anyone else has done this, and when I tried various things, I could not get it working.

Is this possible today? If not, is it worth considering as a future feature? Or am I overlooking a reason that this cannot work even in theory?

On 13.06.17 16:50, Amos Jeffries wrote:
It is not possible.

No, it is a terrible idea.

It is prohibited by the OS kernel as part of the anti-malware protections, in this case to prevent the local machine being used to attack its surrounding network nodes. And by Squid to make it harder to use Squid as viral payload and damage the brand reputation.

For me to fully understand (I was curious about this some time ago), it is
allowed to fake clients' IPs when intercepting their connections, but not
when connections are done to proxy server directly?

Yes.

What's the difference that makes it more terrible than spoofing IPs of
intercepted connections?

If you take a close look at the packets you should see the incoming ones as (client-IP:server-IP:server-port) and outgoing from Squid has identical (client-IP:server-IP:server-port). Only the src-port differs. - As far as the rest of the network is concerned Squid is acting as if it were a TCP router. The kernel is also configured as a router in order to do TPROXY, so the whole environment except for the proxy and a few rules in the networking stack is setup for routing.


By comparison, without TPROXY the incoming packets have (client-IP:client-port:squid-IP:squid-port) and the server connection packets would have (client-IP:random-port:server-IP:server-port). The machine is setup as a server host, not a router. Which is where Ingress and Egress Filtering both stomp on it hard for using other machines IPs.


PS. if you spoof (with or without TPROXY) and have not implemented BCP-38 ingress filtering (AND its equivalent egress filtering) on your network then you are part of the DoS attack system, guaranteed, whether you know it or not. Very likely you will _not_ be aware of it because all the information you can log or gather from TCP is spoofed (duh!) and appears to be your own innocent clients doing things that clients tend to do (NTP lookups? DNS lookups? sending email? using HTTP? sure no harm there ... unless it wasn't them).

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux