Re: [squid-users] TCP Flooding attack and DNS Poisioning attack

From: Eliezer Croitoru <eliezer_at_ec.hadorhabaac.com>
Date: Tue, 12 Apr 2011 06:51:52 +0300

On 12/04/2011 06:15, Amos Jeffries wrote:

> On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote:
>> On 11/04/2011 20:53, squid_at_sourcesystemsonline.com wrote:
>>
>>> Good day,
>>> Some times when i check my ESET Antivirus LogFile, it shows that some
>>> activities of clients in my network are attacking my network especially
>>> squid port (3128) with TCP Flooding or DNS Poisioning. I check the
>>> internet for there meaning and found out that they are not good
>>> activities
>>> on any network.
>> What?
>> it's nice t know that you do have tcp flooding.. or what so..
>> but the problem is that the AV is not providing any details on how it
>> is getting this conclusion.
>> i would start with a simple wireshark on this specific machine that
>> you are getting the warnings
>> in case you do have some problems on your network setup.
>> by the way proxy traffic can indeed in a way be misunderstood as TCP
>> flood and DNS spoofer.
>
> NOTE: Usually TCP flooding is a warning thrown up by the kernel when
> TCP has a lot of new connections made. A busy proxy will easily hit
> the default thresholds for this.
>
> TCP offers a feature called "SYN cookies" which can help with this
> problem.
>
> see
> http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html
>
so it's almost sure that the same mechanism that works on linux kernel..
is been used on the eset..
the thing is that we are talking about the AV that sits on other machine..
so, it's seems kind of odd for the AV\FW on other machine to actually be
100% reliable on the analysis in this case?

Eliezer
>
>>> Is there any configuration option(s) in squid that i can use to
>>> drop/block
>>> such TCP Flooding and DNS Poisioning traffic?
>>> Any suggestion?
>> Squid is a server.. it wont react unless it requested to do things.
>> this is from my experience so unless you have a bad squid setup that
>> can lead to open relay proxy..
>> i cant really thing of something.
>> if i dont know or understand something i would like to here about it.
>>
>
> There is a security vulnerability in the Squid DNS receiving for old
> versions.
> http://www.squid-cache.org/Advisories/SQUID-2010_1.txt
> (NP: right now the advisory shows 2.x as vulnerable. 2.6.STABLE24+ and
> 2.7.STABLE8+ should be listed as safe. Fixing that now.)
>
> Following the workaround indicated or using a fixed version fake DNS
> packets will not be a big problem. Just a waste of some few CPU cycles.
>
> Further protection can be added by firewalling the DNS responses
> (coming from port 53 UDP or 953 TCP) unless they come from the system
> configured resolver (/etc/resolv.conf). Checking that squid.conf does
> not override the OS with dns_nameservers directive, if it does
> exceptions will need to be added for those machines as well.
>
> Amos
Received on Tue Apr 12 2011 - 03:52:01 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 12 2011 - 12:00:04 MDT