Re: [squid-users] TCP Flooding attack and DNS Poisioning attack

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 12 Apr 2011 15:15:20 +1200

 On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote:
> On 11/04/2011 20:53, squid_at_sourcesystemsonline.com wrote:
>
>> Good day,
>> Some times when i check my ESET Antivirus LogFile, it shows that
>> some
>> activities of clients in my network are attacking my network
>> especially
>> squid port (3128) with TCP Flooding or DNS Poisioning. I check the
>> internet for there meaning and found out that they are not good
>> activities
>> on any network.
> What?
> it's nice t know that you do have tcp flooding.. or what so..
> but the problem is that the AV is not providing any details on how it
> is getting this conclusion.
> i would start with a simple wireshark on this specific machine that
> you are getting the warnings
> in case you do have some problems on your network setup.
> by the way proxy traffic can indeed in a way be misunderstood as TCP
> flood and DNS spoofer.

 NOTE: Usually TCP flooding is a warning thrown up by the kernel when
 TCP has a lot of new connections made. A busy proxy will easily hit the
 default thresholds for this.

 TCP offers a feature called "SYN cookies" which can help with this
 problem.

 see
 http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html

>> Is there any configuration option(s) in squid that i can use to
>> drop/block
>> such TCP Flooding and DNS Poisioning traffic?
>> Any suggestion?
> Squid is a server.. it wont react unless it requested to do things.
> this is from my experience so unless you have a bad squid setup that
> can lead to open relay proxy..
> i cant really thing of something.
> if i dont know or understand something i would like to here about it.
>

 There is a security vulnerability in the Squid DNS receiving for old
 versions.
 http://www.squid-cache.org/Advisories/SQUID-2010_1.txt
 (NP: right now the advisory shows 2.x as vulnerable. 2.6.STABLE24+ and
 2.7.STABLE8+ should be listed as safe. Fixing that now.)

 Following the workaround indicated or using a fixed version fake DNS
 packets will not be a big problem. Just a waste of some few CPU cycles.

 Further protection can be added by firewalling the DNS responses
 (coming from port 53 UDP or 953 TCP) unless they come from the system
 configured resolver (/etc/resolv.conf). Checking that squid.conf does
 not override the OS with dns_nameservers directive, if it does
 exceptions will need to be added for those machines as well.

 Amos
Received on Tue Apr 12 2011 - 03:15:23 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 12 2011 - 12:00:04 MDT