[squid-users] DoS Vulnerabilities involving Squid &/or ICP?

From: Haim \[Howard\] Roman <roman@dont-contact.us>
Date: Thu, 02 Aug 2007 19:11:52 +0300

Hello. I was trying to check whether there is some security hole or
issue with our squid &/or ICP that I should know about. I looked around
the www.squid-cache.org & the web, but didn't find anything relevant to
the case below. I'd appreciate any pointers.

BACKGROUND:

Someone from web site X claimed that someone from our site was launching
a DoS against them. The IP he gave was our proxy. It turns out someone
from our site *was* repeatedly trying to download a certain audio URL
(perhaps non maliciously).

When checking our squid logs, I found the following message:

    ploni.jct.ac.il - - [01/Aug/2007:16:30:02 +0300]
    "ICP_QUERY
    http://www.a.org/uploadfile/radio/pu2.wma?lang=hebrew
    HTTP/0.0" 0 80 UDP_MISS:NONE

I changed the 2 host names. "ploni" is our wireless network server. It
runs its own squid, which uses our proxy server's squid as a parent.
That's the ICP_QUERY above. Not knowing much about ICP, I first thought
the above message was suspicious, though I don't think so now.

CONFIGURATION:

Our proxy server runs:

    * Squid Cache: Version 2.5.STABLE6-CVS
    * Red Hat Enterprise Linux WS release 3 (Taroon Update 1)
    * kernel 2.4.21-9.ELsmp

Our wireless server runs:

    * Squid Cache: Version 2.5.STABLE3
    * Red Hat Enterprise Linux WS release 3 (Taroon Update 5)
    * kernel 2.4.21-37.ELsmp

Thanks

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Haim (Howard) Roman
Computer Center, Jerusalem College of Technology
roman@jct.ac.il
Phone: 052-8-592-599 (6022 from within Machon Lev)
Received on Thu Aug 02 2007 - 10:12:20 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT