Re: [squid-users] TCP Flooding attack and DNS Poisioning attack from Amos Jeffries on 2011-04-11 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 12 Apr 2011 17:37:50 +1200

On 12/04/11 15:51, Eliezer Croitoru wrote:
> On 12/04/2011 06:15, Amos Jeffries wrote:
>
>> On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote:
>>> On 11/04/2011 20:53, squid_at_sourcesystemsonline.com wrote:
>>>
>>>> Good day,
>>>> Some times when i check my ESET Antivirus LogFile, it shows that some
>>>> activities of clients in my network are attacking my network especially
>>>> squid port (3128) with TCP Flooding or DNS Poisioning. I check the
>>>> internet for there meaning and found out that they are not good
>>>> activities
>>>> on any network.
>>> What?
>>> it's nice t know that you do have tcp flooding.. or what so..
>>> but the problem is that the AV is not providing any details on how it
>>> is getting this conclusion.
>>> i would start with a simple wireshark on this specific machine that
>>> you are getting the warnings
>>> in case you do have some problems on your network setup.
>>> by the way proxy traffic can indeed in a way be misunderstood as TCP
>>> flood and DNS spoofer.
>>
>> NOTE: Usually TCP flooding is a warning thrown up by the kernel when
>> TCP has a lot of new connections made. A busy proxy will easily hit
>> the default thresholds for this.
>>
>> TCP offers a feature called "SYN cookies" which can help with this
>> problem.
>>
>> see
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html
>>
> so it's almost sure that the same mechanism that works on linux kernel..
> is been used on the eset..
> the thing is that we are talking about the AV that sits on other machine..
> so, it's seems kind of odd for the AV\FW on other machine to actually be
> 100% reliable on the analysis in this case?
>

Yes. Is it getting a copy of all the packets? either by port mirroring
or being a bridge?
It could be checking the same things, but without the benefits of
tuning the Squid box has.

How its getting the poisoning attack conclusion baffles me a bit. Though
working blind as to how the EV integrates with the network that is not hard.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.6

Received on Tue Apr 12 2011 - 05:37:53 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 14 2011 - 12:00:03 MDT