Re: [squid-users] Spoofing attack and bouncer stuff

23-Mar-02 at 12:58, Beng Santosa (vcunz2@yahoo.com) wrote :
> ..oh..i forgot...i implemented transaparent proxy here...now the problem is
> some user in my net using spoofing here....they uses portscan to scan any
> open proxy in internet (we called x)....after that they using that proxy (x)
> from connection option in explorer....hix.....and my rule not working anymore huaaaaa
> hix....... thus any one can helpp meee pleazeee......i hate this spoofing stuff :P, and somebody
> can explain me about bouncer and how to handle it.....thanx very much

Spoofing is making it look like your IP is on another network, rather than on
the network it is actually coming from, by screwing with TCP headers. The most
common form is someone coming on the external interface of a firewall trying
to make it look like they are from your network, possibly bypassing firewall
rules (but not on firewalls with proper rulesets).

This is just hijacking a public proxy, rather than spoofing. I take it that
you have left open either ports 3128 or 8080 on your firewall to the outside
world. This allows your user to get out on the port he wants.

Perhaps you could try blocking any access to ports 80, 3128 and 8080 for
anything but Squid, so that only Squid can get out.

Now if you're saying this guy can spoof, he can probably spoof the IP of Squid
and get out anyway, perhaps. Or he could find a port which is open and tunnel
traffic through there, if determined enough.

The best solution is rather to have an acceptable use policy and to sanction
people about their work, rather than just trying to block them. As one user
said to me when I blocked a games site

"If you block this site, I'll only waste more time trying to find another"

I took away all his Internet access, and he soon learned.

Simon.

-- 
[Simon White. vim/mutt/Linux. simon@mtds.com. GIMPS: 51.28%] v-- John Lennon
Sometimes we sit and read other people's interpretations of our lyrics
and think, 'Hey, that's pretty good.' If we liked it, we would keep our
mouths shut and just accept the credit as if it was what we meant all along.