Re: [squid-users] code red is making horrible on our network from Marc van Selm on 2001-08-14 (squid-users)

From: Marc van Selm <marc.van.selm@dont-contact.us>
Date: Tue, 14 Aug 2001 09:40:27 +0200

At 08:28 PM 8/9/01 -0300, Luiz Lima wrote:

[...]

>I can't block IPs because they are dinamic assigned dial-up accounts. I
>can't just explain it to my customers because I only know which ones are
>infected AFTER my Squid server is already down.
>
>I really need a way to tell Squid to NOT proccess the requests before it
>take resourses away from valid ones.

Luiz,

I can't offer you an acl for Squid but I have a way ahead that could help
you eradicate the problem once and for all. It will need some programming
or manual reading trough logfiles. Assuming you have logging on your dial
up service (I guess you use RADIUS and most servers register time,
username, dialup server and IP)

Assuming you have this you could follow the following scenario. You detect
in your Squid log that a Code Red is hitting, record the time (make sure
your time is ntp synchronized on all servers that are involved!) and source
IP. Now look in the RADIUS log. Find the IP and time-index. Now you know
the customer that did not bother to patch his/her IIS.

At that time lock the account and release the call if it is still active.
Pick up the phone and inform your customer what happened and how to fix his
system. Agree on a account-release scenario. Assuming your customers do not
intend to spread worms around or like viruses in their system they will
probably be thankful. (If they do intend to spread viruses you are probably
bound by law to report them to the police and/or deny them access as soon
as you aware)

So this is not a block for Squid (I will leave this to others on the list)
but a method to actively force users to clean their infected systems.
Actually most network administrators would be grateful for this action
because this worm seems to create a unwanted overhead in the intrusion
detection log-files.

>---
>Luiz Lima
>Image Link Internet
>http://www.imagelink.com.br

*********************************************************
** -- This mail is personal -- **
** All statements in this mail are made from my own **
** personal perspective and do not necessarily reflect **
** my employer's nor my ISP's opinions or policies. **
*********************************************************
Received on Tue Aug 14 2001 - 01:40:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:37 MST