Re: [squid-users] My Squid Under Attack - Help with info please.

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 29 Dec 2002 14:20:49 +0100

Firewalling the Squid port is generally a good idea.

Also make sure your squid.conf contains suitable http_access rules only
allowing what should be allowed.

a) Only allow your networks to use the proxy. Make sure all others are
denied access.

b) Only allow proxying to well known services. DO NOT delete the default
Safe_ports or SSL_Ports filter rules designed to block most spammer
abuses of the proxy (these denies abuse of the HTTP proxy to send SMTP
email, connect to IRC etc).

c) Quite often the use of authentication is recommended.

Note: http_access is a ordered list of rules. The first rule where all
listed acls apply will determine if the request is allowed or denied.

http_access allow/deny acl1 AND acl2 AND ...
  OR
http_access allow/deny acl3 AND acl4 AND ...
  OR
...

where AND/OR is in their logic meaning (not the ambigious english
meaning where AND = OR)

Regards
Henrik

Cliff wrote:
>
> Squid 2.4STABLE6 on RH7.3
>
> What exploit is happening?
>
> IP addresses attacking me:
> 209.189.55.195 to 205. (10 consecutive addresses)
>
> They are hitting port 3128.
> They are causing my RH Box to send
> ALOT of traffic to all kinds of places
> with names that include mx...hotmail...yahoo mail...etc.
>
> I assume some spammer is exploiting port 3128
> to cause me to relay spam for them? I killed
> sendmail but the spamming continued.
>
> I can kill squid, which stops me from being
> a spam conduit. I prefer not to kill squid.
>
> So I put in a firewall rule to deny everything
> from 209.189.55.x when going to my external
> port 3128.
>
> This seems to have blocked it however I am still
> currently under attack from the miscreant.
>
> The attack was going on for 4 hours before I stopped it.
> I suppose that for 4 hours the spammer pumped lots
> of spam through my box???
>
> It is still going on, though thank goodness I put
> in the firewall rule and stopped it.
>
> Any links to exploits and information is much appreciated.
> I wonder how long this spammer is gonna keep on trying
> to pump spam through my port 3128?
>
> Thx gurus.
Received on Sun Dec 29 2002 - 07:40:20 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:14 MST