Re: [squid-users] DNS Attack

From: Roman Gelfand <rgelfand2_at_gmail.com>
Date: Tue, 5 Jun 2012 10:47:03 -0400

Here is the request this guy is sending. Perhaps, this could shed some light.

..............E..dm.@.....|...`9.....P..].-..#P....H..GET.http://www.asd818.com/.HTTP/1.1..Accept:.*/*..Referer:.http://www.asd818.com/..Accept-Language:.zh-cn..Accept-Encoding:.gzip,.deflate..User-Agent:.Mozilla/4.0.(compatible;.MSIE.6.0;.Windows.5.1;Windows.5.5;Windows.6.0)..Host:.www.asd818.com..Proxy-Connection:.Keep-Alive..Pragma:.no-cache..Cookie:.Keep-Alive...

Thanks again

On Mon, Jun 4, 2012 at 7:42 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 4/06/2012 8:36 a.m., Roman Gelfand wrote:
>>
>> I have setup squid server to function as both forward and reverse
>> proxy.  It appears that I am getting flooded with http requests with
>> non existant urls.  Consequently, this slows down my firewall as the
>> dns server is slowing down the query response.  Is there a way to
>> prevent dns lookup if url doesn't match the pattern?
>>
>> Thanks in advance
>
>
> Squid rejects requests with non-existant URLs as invalid HTTP syntax during
> parsing. There is no DNS involved there.
>
> I assume you mean the URL has a unregistered domain name and the requests
> are coming in with a great many different domains?
>
> Reverse-proxy requests should have 0 DNS usage. Forward-proxy should only
> need DNS after accepting a request for relay. There are some exceptions to
> that, but most networks will fit that generalization. It is achieved by
> reverse-proxy using dstdomain ACLs, and forward-proxy using src client IP or
> proxy_auth login credentials to determin traffic acceptance. DNS is not
> involved in any of those ACL types.
>
> This small alteration (adding localnet filter) to the basic reverse-proxy
> config should stop those requests no DNS involved:
>
>  # reverse-proxy rules
>  acl localdomains dstdomain example.com
>  http_access allow localdomains
>  http_access deny !localnet
>
>  # ... other forward-proxy rules...
>
>
> Also; If you have "dst" in the reverse-proxy allow rules, change it to
> dstdomain and DNS load should vanish.
>
>
> Amos
>
Received on Tue Jun 05 2012 - 14:47:12 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 05 2012 - 12:00:03 MDT