Re: Forwarded-> port scan attack from your system (fwd)

From: Martin Pool <mbp@dont-contact.us>
Date: Thu, 31 Aug 2000 11:09:17 +1100

On Thu, Aug 31, 2000 at 01:15:30AM +0200, Henrik Nordstrom wrote:
> Duane Wessels wrote:
> >
> > Sigh, Squid's persistent attempts to establish a connection makes
> > some people think its a port scan attack.
>
> Stupid them (can't see the difference between a port scan and a syn
> flood).
>
> Neither the less Squid does NOT behave well. For a given server (peer or
> origin) it should only try once, at most twice, not 10 times per
> request.

It may not actually be Squid that is retrying, but rather the TCP/IP
stack. This behaviour can occur even if Squid only makes a single
connect(2) call.

If the site has blackholed packets from that port so that it responds
with neither a SYN ACK or RST then the operating system will
retransmit the SYN several times, thinking that it may have got lost
in the network. This is fine, normal, and in compliance with the
standards. It is neither a syn flood nor a port scan.

-- 
Martin Pool                        http://linuxcare.com.au/rproxy/
rproxy accelerates HTTP by dynamic caching and differential update

Received on Wed Aug 30 2000 - 18:09:50 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:35 MST