Re: [squid-users] how to use IP addresses delivered by client?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 23 Jul 2008 01:27:13 +1200

Cezary Rzewuski wrote:
> Hi,
> Is there any possibility for squid not to make DNS lookups at all but be
> provided with the server IP address from client?
>
> The issue is that we're using squid as a proxy for crawling malicious
> sites and the, so called, fast-flux attacks are quite popular these days.
> In this kind of attack DNS returns many IP addresses for an URL, few of
> which are usually malicious. So, we'll use some heuristic algorithms to
> choose which IP to check.
> However the problem is that we need any way to inform squid of the IP
> address he should use for particular URL. We were thinking of setting our
> own DNS cache server for squid. However, it changes project architecture a
> bit. I thought that may be there exist any way to give squid the IP
> address in a HTTP header (X-IP)?

Doing this in itself makes squid vulnerable to Cache Pollution attacks.
The vulnerability is particularly serious when interacting with those
bad websites, as they are their DNS results are the most likely source
of such attacks.

If you want to maintain data integrity during these test operations you
really do not want the sites to be cached at all between the testing
engine and the tested site. If anything needs to be stored for records,
its best done by the engine which can identify the material correctly.

You can easily modify the crawler to use IMS requests, and
extract/follow the object expiry information. Thats the only benefit I
see squid providing such a test setup.

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE8
Received on Tue Jul 22 2008 - 13:27:12 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 22 2008 - 12:00:04 MDT