Re: [squid-users] TCP Flooding attack and DNS Poisioning attack

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 15 Apr 2011 16:05:50 +1200

On 15/04/11 02:05, squid_at_sourcesystemsonline.com wrote:
> Good day,
> Thanks all for concern. The network topology is as follow:
> Workstations are installed with Windows 7 Pro with spyware terminator with
> integrated ClamAV all link to a Cisco 2950 switch and a multihome server
> with Windows 7 Ultimate with ESET AV and Squid has one NIC connected to
> the Cisco switch for LAN connection and the other to internet through
> broadband device. Windows 7 on the server is used to share the internet
> connection and the workstation browsers are configure to use server IP and
> port 3128.
> Thanks for your assistance,
> regards,
> Yomi
>

Thanks. A couple of things are in effect here and come to mind as
possible reasons for the warnings.

Firstly is the low (2048) FD limit on Windows. We have not been able to
avoid that. ESET may simply be detecting the client traffic reaching or
passing that limit. If so its not so much a security issue as a resource
overload issue.
  The traffic bottenecks behind Squid so client get a crap experience
but the Internet is saved from anything they try.

The other idea depends on whether you have ClamAV integrated to scan the
Squid traffic?
   ClamAV with Squid-2 has to use a redirector. This forces up to
*three* requests processed by Squid to fetch any new object. The first
one from the client to kicks off a ClamAV scan (getting a 3xx back from
ClamAV redirector). Then the ClamAV fetch to get content for scanning.
Then the followup client request to get the scanned content from ClamAV.

DNS I'm not so sure of. Squid should not be making a huge amount of DNS
requests. It could be your clients making a great many requests of
Squid. If ESET provides which client IPs are the suspect ones look
through the Squid access.log and cache.log to see what those are doing.
   Your configuration can affect DNS load in bad ways though. For
example using the dst ACL raises DNS load by an extra lookup per ACL
test in 2.7.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.6
Received on Fri Apr 15 2011 - 04:05:57 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 15 2011 - 12:00:03 MDT