> Sigh, Squid's persistent attempts to establish a connection makes
> some people think its a port scan attack.
That looks like a SYN flood not a port scan! Why does everyone just say
"port scan" these days. If you were port scanning, you'd be looking at
different remote ports...
Had the opposite problem recently, people who can't recognise a DDoS
attack (one of our servers was used as an intermediary in a DDoS attack
by a btinternet user against various sites).
Sent logs and details of the tools used to btinternet, they reply back
"thanks your report of unauthorised mail relay, it has been forwarded..."
then "thanks for your report of a port scan but these are not actually
a problem and are often not a real scan. try lowering your intrusion
detection". After responding telling them they should look a bit more
carefully, I got "thanks for reporting usenet abuse or spamming". So
they sit and refuse to even look into someone who has hacked a system,
installed a DDoS tool and flooded a variety of web sites with 20Mbps...
it appears because they just can't read enough to understand, or
perhaps they don't even know what DDoS means. Or maybe because they
don't have a form letter to cover it.
Anyway, back on track, you shouldn't be trying more than, say, 1 TCP
connection attempt each 10 seconds unless the client is making requests
more often than that.
David.
-- ---------------------------------------------- David Luyer Senior Network Engineer Pacific Internet (Aust) Pty Ltd Phone: +61 3 9674 7525 Fax: +61 3 9699 8693 Mobile: +61 4 1064 2258, +61 4 1114 2258 http://www.pacific.net.au NASDAQ: PCNTF << fast 'n easy >> ----------------------------------------------Received on Tue Aug 29 2000 - 01:02:01 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:35 MST