Re: [squid-users] TCP Flooding attack and DNS Poisioning attack

From: Eliezer Croitoru <eliezer_at_ec.hadorhabaac.com>
Date: Fri, 15 Apr 2011 08:43:24 +0300

On 15/04/2011 07:05, Amos Jeffries wrote:

> On 15/04/11 02:05, squid_at_sourcesystemsonline.com wrote:
>> Good day,
>> Thanks all for concern. The network topology is as follow:
>> Workstations are installed with Windows 7 Pro with spyware terminator
>> with
>> integrated ClamAV all link to a Cisco 2950 switch and a multihome server
>> with Windows 7 Ultimate with ESET AV and Squid has one NIC connected to
>> the Cisco switch for LAN connection and the other to internet through
>> broadband device. Windows 7 on the server is used to share the internet
>> connection and the workstation browsers are configure to use server
>> IP and
>> port 3128.
>> Thanks for your assistance,
>> regards,
>> Yomi
>>
>
> Thanks. A couple of things are in effect here and come to mind as
> possible reasons for the warnings.
>
> Firstly is the low (2048) FD limit on Windows. We have not been able
> to avoid that. ESET may simply be detecting the client traffic
> reaching or passing that limit. If so its not so much a security issue
> as a resource overload issue.
> The traffic bottenecks behind Squid so client get a crap experience
> but the Internet is saved from anything they try.
>
>
> The other idea depends on whether you have ClamAV integrated to scan
> the Squid traffic?
> ClamAV with Squid-2 has to use a redirector. This forces up to
> *three* requests processed by Squid to fetch any new object. The first
> one from the client to kicks off a ClamAV scan (getting a 3xx back
> from ClamAV redirector). Then the ClamAV fetch to get content for
> scanning. Then the followup client request to get the scanned content
> from ClamAV.
>
> DNS I'm not so sure of. Squid should not be making a huge amount of
> DNS requests. It could be your clients making a great many requests of
> Squid. If ESET provides which client IPs are the suspect ones look
> through the Squid access.log and cache.log to see what those are doing.
> Your configuration can affect DNS load in bad ways though. For
> example using the dst ACL raises DNS load by an extra lookup per ACL
> test in 2.7.
>
> Amos

Well it seems to me kind of normal in this situation.
if you do have some spare parts i would run the squid as a dedicated
machine and wiht a cache dns server on it.

Eliezer
Received on Fri Apr 15 2011 - 05:43:33 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 15 2011 - 12:00:03 MDT