Re: [squid-users] weird traffic coming from my squid box to clients on port 3128 from Bostonian on 2009-02-04 (squid-users)

From: Bostonian <ygwen77_at_gmail.com>
Date: Wed, 4 Feb 2009 15:05:49 -0800

Thank you, Amos.

From access.log, these client IPs with state of Established seem to
have some hits from cached contents.

I have also noticed that squid.ip.randomport. but majority of
established tcp connections is using 3128.

Any further idea on this issue is highly appreciated.

On Tue, Feb 3, 2009 at 8:39 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Bostonian wrote:
>>
>> with netstat -n |grep SYN_RECV command, it shows that a few foreign hosts
>>
>> tcp 0 xx.xx.xx.xxx.3128 yy.yy.yy.yyy.1433 SYN_RECV
>> ....
>>
>> With netstat -n|grep ESTABLISHED command, it show that a few foreign host
>>
>> tcp 0 xx.xx.xx.xxx.3128 zz.zz.zzz.zz1430 SYN_RECV
>> ....
>>
>> Is this normal?
>
> Maybe, maybe not.
>
> Check your access.log to see what is happening to those connections. They
> may be attack attempts that are denied safely by squid.
>
> Amos
>
>>
>>
>> On Mon, Feb 2, 2009 at 6:50 PM, Bostonian <ygwen77_at_gmail.com> wrote:
>>>
>>> I am a newbie here. Does "doing interception on inbound connections"
>>> mean that my squid box intercepts the client's request and returns the
>>> traffic from port 3128? Is this the normal way through which squid
>>> returns the request to its clients?
>>> Thank you.
>>>
>>> On Mon, Feb 2, 2009 at 6:35 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>>> wrote:
>>>>>
>>>>> Dear All:
>>>>>
>>>>> I am running a squid 3.0 on a centos box and set it as
>>>>>
>>>>> http_port 3128 transparent
>>>>>
>>>>> It has been working well for a while. Then I noticed a traffic spike.
>>>>> tcpdump shows
>>>>> that there are a lot of traffic from port 3128 to other clients. I
>>>>> have disabled incoming
>>>>> traffic to 3128 from outside.
>>>>>
>>>>> What could be the reason? Someone hacked my cache?
>>>>>
>>>>> Best Regards,
>>>>> Young Wen
>>>>>
>>>> Perhapse you are doing interception on inbound connections somehow?
>>>> NAT will break past the firewall in that case.
>>>>
>>>> Amos
>>>>
>>>>
>>>>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE12
> Current Beta Squid 3.1.0.4
>
Received on Wed Feb 04 2009 - 23:05:52 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 05 2009 - 12:00:01 MST