Re: [squid-users] Proxy doing Denial Of Service attack

From: Rude Yak <[email protected]>
Date: Thu, 10 Oct 2002 11:07:26 -0700 (PDT)

  The number of calls seems normal (TCP retry, etc.). Does your squid log
destination IP or URL? You may want to run an nslookup or WHOIS query on the
IPs in question to see if it's being logged but under a different name than the
one you're looking for. As far as monitoring outbound traffic, depending on
your O/S, you could run tcpdump or snoop on your Internet-facing interface to
determine whether it is truly your machine generating the traffic; lsof can
also be a handy tool (see the "-r" and "-i" options). It is possible that your
source IP is being used as a spoofed address or decoy -- although if you're
getting complaints from your own firewall folks, that may be an unlikely
scenario.

--- "Higginbotham, Perry" <PHigginb@MAIL.co.washoe.nv.us> wrote:
> Hi there,
>
> It appears as though my proxy is doing a Denial Of Service attack to a range
> of IP addresses. My firewall folks have given me a list stating the IP's
> that the proxy is sending requests to and the source IP being my proxy. I
> assumed that this was an internal thing but having looked through my
> access.log files and searching for the destination IP's I can't find them.
> It appears as though the calls are being made without being cached. Could
> this be done from outside? The service is listed as "tcp-2112-ddos". The
> proxy makes six calls per IP then moves on. Is there a way to monitor this
> activity other than the access.log files? Any help, opinions, etc. are
> greatly appreciated.
>
> Thanks
> Perry

__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com
Received on Thu Oct 10 2002 - 12:07:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:40 MST