On 05/06/11 16:55, Bal Krishna Adhikari wrote:
> On 06/04/2011 12:59 PM, Amos Jeffries wrote:
>>>>>> Bal Krishna Adhikari 6/3/2011 6:13 AM
>>>>>>
>>> Hello,
>>>
>>> I found a lot of UDP connections that is coming to my proxy servers.
>>> I don't find the cause of such one-way traffics to my servers.
>>> The sample UDP traffic is as :-
>>>
>>> 14:00:07.506612 IP 41.209.69.146.10027> x.x.x.x.65453: UDP, length 30
>>> 14:00:07.518118 IP 121.218.37.254.41597> x.x.x.x.64338: UDP, length
>>> 30
>>> 14:00:07.572559 IP 85.224.143.193.29978> x.x.x.x.62782: UDP, length
>>> 30
>>> 14:00:07.596554 IP 183.87.200.42.36895> x.x.x.x.15786: UDP, length 30
>>> 14:00:07.642820 IP 180.215.37.96.49977> x.x.x.x.49458: UDP, length 30
>>> 14:00:07.653055 IP 117.195.138.64.24314> x.x.x.x.44985: UDP, length
>>> 33
>>> 14:00:07.739963 IP 82.31.238.101.50534> x.x.x.x.52750: UDP, length 30
>>> 14:00:07.783452 IP 86.83.107.196.41870> x.x.x.x.62782: UDP, length 30
>>> 14:00:07.809677 IP 94.246.23.15.59003> x.x.x.x.27462: UDP, length 30
>>> 14:00:07.837415 IP 75.156.164.147.49398> x.x.x.x.34847: UDP, length
>>> 30
>>> 14:00:07.841668 IP 82.8.212.242.25931> x.x.x.x.24869: UDP, length 30
>>> 14:00:07.841697 IP 89.136.112.99.42182> x.x.x.x.52750: UDP, length 30
>>> 14:00:07.854215 IP 99.191.156.208.18162> x.x.x.x.64338: UDP, length
>>> 30
>>> 14:00:07.885386 IP 88.147.72.252.60224> x.x.x.x.19151: UDP, length 30
>>> 14:00:07.960841 IP 68.169.185.192.63480> x.x.x.x.58638: UDP, length
>>> 30
>>> 14:00:08.071763 IP 79.113.242.42.31998> x.x.x.x.33995: UDP, length 30
>>> 14:00:08.078260 IP 94.202.49.109.61957> x.x.x.x.26071: UDP, length 67
>>> 14:00:08.101495 IP 82.169.68.179.19605> x.x.x.x.45682: UDP, length 30
>>> 14:00:08.113238 IP 86.99.42.7.15086> x.x.x.x.11706: UDP, length 67
>>> 14:00:08.127979 IP 62.195.70.253.45266> x.x.x.x.37050: UDP, length 30
>>> 14:00:08.163992 IP 2.82.207.195.38343> x.x.x.x.26680: UDP, length 30
>>> 14:00:08.183453 IP 68.81.206.57.25923> x.x.x.x.18378: UDP, length 30
>>> 14:00:08.237689 IP 108.120.241.254.47249> x.x.x.x.39433: UDP, length
>>> 30
>>> 14:00:08.256906 IP 99.161.157.254.41719> x.x.x.x.26680: UDP, length
>>> 30
>>> 14:00:08.291885 IP 121.136.175.247.12577> x.x.x.x.16485: UDP, length
>>> 67
>>> 14:00:08.315427 IP 121.144.158.120.30845> x.x.x.x.61415: UDP, length
>>> 30
>>> 14:00:08.317404 IP 115.117.219.18.25817> x.x.x.x.59936: UDP, length
>>> 30
>>>
>>> Anyone has any idea if the traffic is genuine or some kind of attack ?
>>> x.x.x.x is my proxy server.
>>>
>>> --- Bal Krishna
>>>
>>
>> On 04/06/11 01:16, Chad Naugle wrote:
>> > Check the hostname of these IP addresses. They could be DNS replies,
>> > using random ports for source/destinations. Squid can generate tons of
>> > DNS traffic.
>>
>>
>> I don't think its genuine Squid traffic. DNS, ICP and HTCP all use a
>> fixed well-known port at one end and a rarely changing port at the other.
>>
>> It could be anything else on the box though.
>>
>> There are a few CVE attacks this could be, two using DNS and one HTCP.
>> If you have a Squid 2.7.STABLE8+, 3.0.STABLE23+ or 3.1.1+ you are safe
>> from those. They are just annoying.
>>
>> If you have a Squid-3.1+ with an IPv6 address publicly advertised this
>> could be a sign of v6 connection attempts. Several IP tunnel protocols
>> involve UDP handshakes.
>>
>> Amos
>
> I'm currently using 2.7 STABLE9.
> And the connection seems increased then earlier.
> Blocking the UDP other then DNS and SNMP from outside can solve the
> problem ?
We can't answer that. It may not be a problem. You need to find out what
it actually is. Blocking it will stop it doing anything, but until you
know what it is that may just be creating a different problem.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2Received on Sun Jun 05 2011 - 07:55:56 MDT
This archive was generated by hypermail 2.2.0 : Mon Jun 06 2011 - 12:00:02 MDT