On 18/06/11 01:26, Chris Knipe wrote:
> Hi All,
>
> We have a fairly sized transparent proxy (squid 3.1.12) running around
> 1k requests per minute. Every now and again, for some seemingly
> random host to some seemingly random site, squid would log a few
> requests completely garbled. After a second or two, the requests are
> logged in plain text as normal...
>
> A sample of a "garbled" log entry is given below. This naturally
> causes havoc web log file analyzers such as calamaris...
> 1308301729.706 20 host.name TCP_MISS/400 69453 ^S<B5>
> http://196.43.208.18:3128/+%D4%B0%7C%84%D6 - DIRECT/196.43.208.18
> text/html
>
> Any advice?
Would "Don't do transparent proxy" work?
You are going to get garbage. It just comes with the territory.
That request at least appears to be one of the nicer pieces of software
abusing port 80. Its passing a URL over. The other end is rejecting the
relay. Maybe it doesn't like its binary crap being upgrade to HTTP/1.1
ASCII :).
Could be some innocent user playing with some software that uses port 80
because it is not firewalled to the hilt. Or it could be an attack
underway using you as a relay. Or it could be an infection trying to
spread. You will only know by further investigation of the client
"host.name".
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2Received on Fri Jun 17 2011 - 15:00:54 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 17 2011 - 12:00:02 MDT