I recently found internet access very very slow on my network, and a
little investigation showed up a lot of network activity on a machine I
keep in the DMZ. This Suse 10 machine hosts a SSHD, Apache2 server and
Squid/Dansguardian.The access.log for squid was full of lines like :
1172143803.288 796 127.0.0.1 TCP_MISS/302 498 GET
http://ad.bannerconnect.net/imp? - DIRECT/208.67.67.11 -
1172143803.352 287 127.0.0.1 TCP_MISS/200 1283 GET
http://media.fastclick.net/w/get.media? -
DIRECT/63.215.202.application/x-javascript
with lots (150k lines and growing fast) of websites I never visit. It
looks like part of a DDoS attack. I reset my static IP address but
rebooting my router/modem and this stopped the attack.So is it possible
to launch such an attack externally or have I picked up some sort of
Trojan which is launching DoS attacks from my machine? I've had this
behavoiur once before, about 10 days ago too.I was running squid on its
default port (3128) and this was not open for input on the firewall,
although port 80 is.
Any thoughts most welcome.
ThanksPaul.
Received on Fri Feb 23 2007 - 12:07:55 MST
This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST