[squid-users] SQUID as HTTP firewall and filter for transparent cache from khiz code on 2001-09-18 (squid-users)

From: khiz code <khizcode@dont-contact.us>
Date: Tue, 18 Sep 2001 21:15:06 -0700 (PDT)

Hi guys
there hv been massive worm attacks ( not code red) this time havin the
foll signaturre paterns seems to be sadmind worm
202.120.136.142 TCP_MISS/503 1160 GET
http://www/scripts/..%c0%../winnt/system32/cmd.exe? - NONE/- -
1000823300.505 1 202.120.136.142 TCP_MISS/503 1160 GET
http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- -
1000823300.611 1 202.120.136.142 TCP_MISS/503 1160 GET
http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- -
1000823300.731 2 202.120.136.142 TCP_MISS/503 1162 GET
http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- -
1000823300.809 1 202.120.136.142 TCP_MISS/503 1158 GET
http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- -
1000821283.850 6123 202.120.152.15 TCP_MISS/503 1110 GET
http://www/scripts/root.exe? - NONE/- -
1000821283.850 6123 202.171.144.123 TCP_MISS/503 1110 GET
http://www/scripts/root.exe? - NONE/- -
1000821289.047 7158 202.171.144.170 TCP_MISS/503 1110 GET
http://www/scripts/root.exe? - NONE/- -
1000821289.047 7158 202.171.144.147 TCP_MISS/503 1110 GET
http://www/scripts/root.exe? - NONE/- -
1000821289.047 7158 202.171.144.147 TCP_MISS/503 1110 GET
http://www/scripts/root.exe? - NONE/- -
1000821289.047 7158 202.240.152.201 TCP_MISS/503 0 GET
http://www/scripts/root.exe? - NONE/- -

these has been reported on all of my squid boxes leading to the the
foll messages in cache.log
2001/09/18 19:17:41| comm_udp_sendto: FD 4, 202.120.136.69, port 53:
(105) No buffer space available
2001/09/18 19:17:41| idnsSendQuery: FD 4: sendto: (105) No buffer space
available
2001/09/18 19:17:41| comm_udp_sendto: FD 4, 202.134.10.1, port 53:
(105) No buffer space available
2001/09/18 19:17:41| idnsSendQuery: FD 4: sendto: (105) No buffer space
available

the foll messages in /var/log/messages
Sep 18 18:25:58 cache-squid kernel: dst cache overflow
Sep 18 18:25:58 cache-squid kernel: NET: 3324 messages suppressed.
Sep 18 18:25:58 cache-squid kernel: dst cache overflow
Sep 18 18:25:58 cache-squid kernel: NET: 3324 messages suppressed

at this level of traffic the linux kernel isnt able to even construct a
packet for a simple ping due to lack of buffer space. the machines are
well equipped with abt 512 mB ram
is there something that we cud do abt this ..
squid is working as a transparent cache ... duane's code red patch
which he had posted on the list sometimeback doesnt seem to work for
transparent wccp enabled caching
can we hv some sort of acl url_regex s to prevent these attacks..

something like squid acting as an HTTP IDS infront of worm friendly IIS
servers.. we can hv squid just do attack prevention rather than caching
/accelerating ..
hoping for solutions
rgds
khizcode

__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
Received on Tue Sep 18 2001 - 22:15:08 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:16 MST