Re: [squid-users] My Squid Under Attack - Help with info please.

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 29 Dec 2002 19:02:48 +0100

Cliff wrote:

> For several reasons I prefer to keep
> my cache available to me wherever I am in the world.
> It's nice to have a reference implementation available
> to me when I'm working a squid problem at work.

Then you MUST configure authentication to only allow you access no
matter where in the world you are.

> And it would be nice to be able to relay email
> through my box at home with no special configuration
> necessary on the client's machine. Like when my idiot
> uncle can't remember his provider's email address and
> I need to get the situation tested and done so I can move
> on to the next thing.

SMTP relaying needs to be configured VERY carefully. And is not the job
of Squid. See your SMTP relay software manual (i.e.
sendmail/qmail/whatever) on how to set up suitable restrictions for SMTP
relaying.

> What is the exact nature of the exploit?
> I've seen the term "HTTP_CONNECT method" but no real
> detailed explanation.

If you allow CONNECT from anyone to port 25 then spammers can easily
abuse your proxy to as a relay to avoid blacklisting. Instead of the
spammer being blacklisted as a spammer it will be you that end up
blacklisted. The only trace in SMTP is that the email originated from
your IP address.

If you allow proxying from anyone to anywhere then anyone will be able
to use your machine as proxy to bypass access restrictions set by their
company or country.

Also, if you allow proxying or CONNECT then hackers can easily use your
proxy as jumpgate when hacking other systems, leaving your IP address in
any traces on the hacked sites.

> Is this exploit a carefully crafted packet?
> Is this exploit a buffer overrun in nature?

Neither.

> I need to know who owns the problem in order to
> stop the abuse at the lowest level while still maintaining
> the ability to use the cache no matter where I am.

You owns the problem if you allow proxying via your machine, just as you
would own the problem if you allow untrusted people to login on your
machine and run programs there to connect to other services on the
Internet.

If something happens it is your who is responsible.

And it is you who pays for the bandwidth usage involved.

This issue is not is not about data integrity on your machine.

Regards
Henrik
Received on Sun Dec 29 2002 - 20:56:07 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:15 MST