Re: [squid-users] Squid attack?

From: Paul <[email protected]>
Date: Fri, 23 Feb 2007 20:33:43 +0000

Thanks Henrik,
I'm a little out of my depth here - I don't know much about squid or
proxies at all - I've set it up to use DansGuardian, and left it pretty
much at default settings. I was on port 3128, but have now moved to a
high port number to try and avoid this.

What's the difference between normal and transparent intercepting proxy?

I've got 22, 21, 80, and 80xx which I currently port forward to an
apache server on a machine inside the LAN which does other stuff. There
are some other ports but only open to machines inside my lan. The
requests are coming from localhost on the DMZ machine, so I presume that
the other server isn't in the equation.

Any idea how I might gain any more clues either from logs or if it
happens again - could I get anywhere using tcpdump?

Cheers
Paul.

On Fri, 2007-02-23 at 20:57 +0100, Henrik Nordstrom wrote:
> fre 2007-02-23 klockan 19:07 +0000 skrev Paul:
> > I recently found internet access very very slow on my network, and a
> > little investigation showed up a lot of network activity on a machine I
> > keep in the DMZ. This Suse 10 machine hosts a SSHD, Apache2 server and
> > Squid/Dansguardian.The access.log for squid was full of lines like :
> >
> > 1172143803.288 796 127.0.0.1 TCP_MISS/302 498 GET
> > http://ad.bannerconnect.net/imp? - DIRECT/208.67.67.11 -
> > 1172143803.352 287 127.0.0.1 TCP_MISS/200 1283 GET
> > http://media.fastclick.net/w/get.media? -
> > DIRECT/63.215.202.application/x-javascript
>
> Looks like someone found a way to bounce via your server using it as an
> open proxy.. exactly how is unclear from these logs alone but it seems
> there is some kind of proxy on your server allowing an indirect
> connection to Squid.
>
> Is this a normal proxy, or a transparently intercepting proxy?
>
> What ports is listening on the server?
>
> What ports is allowed in via the firewall?
>
> Any firewall NAT rules remapping ports? (i.e. transparent interception
> of port 80 traffic to a different port)
>
> I do not think you are being part of a DDoS, but rather that people
> abuse your server as an open proxy bypassing filters of their own
> network or hiding their identity...
>
> Regards
> Henrik
Received on Fri Feb 23 2007 - 13:34:01 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST