Re: [squid-users] TCP Flooding attack and DNS Poisioning attack

From: Eliezer Croitoru <eliezer_at_ec.hadorhabaac.com>
Date: Thu, 14 Apr 2011 02:09:39 +0300

On 12/04/2011 08:37, Amos Jeffries wrote:

> On 12/04/11 15:51, Eliezer Croitoru wrote:
>> On 12/04/2011 06:15, Amos Jeffries wrote:
>>
>>> On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote:
>>>> On 11/04/2011 20:53, squid_at_sourcesystemsonline.com wrote:
>>>>
>>>>> Good day,
>>>>> Some times when i check my ESET Antivirus LogFile, it shows that some
>>>>> activities of clients in my network are attacking my network
>>>>> especially
>>>>> squid port (3128) with TCP Flooding or DNS Poisioning. I check the
>>>>> internet for there meaning and found out that they are not good
>>>>> activities
>>>>> on any network.
>>>> What?
>>>> it's nice t know that you do have tcp flooding.. or what so..
>>>> but the problem is that the AV is not providing any details on how it
>>>> is getting this conclusion.
>>>> i would start with a simple wireshark on this specific machine that
>>>> you are getting the warnings
>>>> in case you do have some problems on your network setup.
>>>> by the way proxy traffic can indeed in a way be misunderstood as TCP
>>>> flood and DNS spoofer.
>>>
>>> NOTE: Usually TCP flooding is a warning thrown up by the kernel when
>>> TCP has a lot of new connections made. A busy proxy will easily hit
>>> the default thresholds for this.
>>>
>>> TCP offers a feature called "SYN cookies" which can help with this
>>> problem.
>>>
>>> see
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html
>>>
>>>
>> so it's almost sure that the same mechanism that works on linux kernel..
>> is been used on the eset..
>> the thing is that we are talking about the AV that sits on other
>> machine..
>> so, it's seems kind of odd for the AV\FW on other machine to actually be
>> 100% reliable on the analysis in this case?
>>
>
> Yes. Is it getting a copy of all the packets? either by port mirroring
> or being a bridge?
> It could be checking the same things, but without the benefits of
> tuning the Squid box has.
>
> How its getting the poisoning attack conclusion baffles me a bit.
> Though working blind as to how the EV integrates with the network that
> is not hard.
>
> Amos
I work with eset AV and FW systems and as far as i know they dont have
IDS systems so it seems to me a malfunctioning or flooded switch
cause most of the IDS systems knows how to understand network
streams.(or at least suppose to)
i really would like to know the network topology in this place :)

Eliezer
Received on Wed Apr 13 2011 - 23:38:52 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 14 2011 - 12:00:03 MDT