Re: [squid-users] SQUID as HTTP firewall and filter for transparent cache

From: khiz code <khizcode@dont-contact.us>
Date: Tue, 18 Sep 2001 22:56:58 -0700 (PDT)

hi joe
hope u get a single copy of this mail ;-)
well yes this is an open cache ....
since we run dynamic routing protocol on the network . sometimes due to
loss of link with my upstream ISP at one location .. traffic is
automatically routed to another location ... so having an acl and
maitaining one would be fairly tedious ,customer pools keep on changing

apart from this as u had suggested in ur earlier post .. NONE
essentially indicates that squid did not forward the request to any one
..
but the real problem is the loss of memory space onthe box which
effectivelythrows the squid box out of operation
2001/09/18 19:17:41| comm_udp_sendto: FD 4, 202.134.10.1, port 53:
 (105) No buffer space available
 2001/09/18 19:17:41| idnsSendQuery: FD 4: sendto: (105) No buffer
 space available
and the foll system log messages
Sep 18 18:25:58 cache-squid kernel: dst cache overflow
> > Sep 18 18:25:58 cache-squid kernel: NET: 3324 messages suppressed

i dunno what they actually mean ...???
btw does duanes tcp resetpatch work for transparent proxying???
rgds
khizcode

--- Joe Cooper <joe@swelltech.com> wrote:
> (No need to send posts to both me and the Squid-users list...I read
> Squid-users daily. ;-)
>
> It looks like maybe you're running an open web cache, which is a big
> problem to start with and will make this worm much more painful for
> you
> and your users.
>
> Are all of those source IPs in your local networks? (I see at least
> four
> pretty widely separated network blocks there 202.120.136.0,
> 202.120.152.0, 202.171.144.0, 202.240.152.0.) So close Squid to all
> but
> your clients first, then tell us if the problem seems so big. We've
> had
> no serious service problems from any of our client boxes so far today
>
> (knock on wood), though some are wondering at the rapid growth of
> their
> logs.
>
> khiz code wrote:
>
> > Hi guys
> > there hv been massive worm attacks ( not code red) this time havin
> the
> > foll signaturre paterns seems to be sadmind worm
> > 202.120.136.142 TCP_MISS/503 1160 GET
> > http://www/scripts/..%c0%../winnt/system32/cmd.exe? - NONE/- -
> > 1000823300.505 1 202.120.136.142 TCP_MISS/503 1160 GET
> > http://www/scripts/..%c0%af../winnt/system32/cmd.exe? - NONE/- -
> > 1000823300.611 1 202.120.136.142 TCP_MISS/503 1160 GET
> > http://www/scripts/..%c1%9c../winnt/system32/cmd.exe? - NONE/- -
> > 1000823300.731 2 202.120.136.142 TCP_MISS/503 1162 GET
> > http://www/scripts/..%%35%63../winnt/system32/cmd.exe? - NONE/- -
> > 1000823300.809 1 202.120.136.142 TCP_MISS/503 1158 GET
> > http://www/scripts/..%%35c../winnt/system32/cmd.exe? - NONE/- -
> > 1000821283.850 6123 202.120.152.15 TCP_MISS/503 1110 GET
> > http://www/scripts/root.exe? - NONE/- -
> > 1000821283.850 6123 202.171.144.123 TCP_MISS/503 1110 GET
> > http://www/scripts/root.exe? - NONE/- -
> > 1000821289.047 7158 202.171.144.170 TCP_MISS/503 1110 GET
> > http://www/scripts/root.exe? - NONE/- -
> > 1000821289.047 7158 202.171.144.147 TCP_MISS/503 1110 GET
> > http://www/scripts/root.exe? - NONE/- -
> > 1000821289.047 7158 202.171.144.147 TCP_MISS/503 1110 GET
> > http://www/scripts/root.exe? - NONE/- -
> > 1000821289.047 7158 202.240.152.201 TCP_MISS/503 0 GET
> > http://www/scripts/root.exe? - NONE/- -
> >
> > these has been reported on all of my squid boxes leading to the the
> > foll messages in cache.log
> > 2001/09/18 19:17:41| comm_udp_sendto: FD 4, 202.120.136.69, port
> 53:
> > (105) No buffer space available
> > 2001/09/18 19:17:41| idnsSendQuery: FD 4: sendto: (105) No buffer
> space
> > available
> > 2001/09/18 19:17:41| comm_udp_sendto: FD 4, 202.134.10.1, port 53:
> > (105) No buffer space available
> > 2001/09/18 19:17:41| idnsSendQuery: FD 4: sendto: (105) No buffer
> space
> > available
> >
> > the foll messages in /var/log/messages
> > Sep 18 18:25:58 cache-squid kernel: dst cache overflow
> > Sep 18 18:25:58 cache-squid kernel: NET: 3324 messages suppressed.
> > Sep 18 18:25:58 cache-squid kernel: dst cache overflow
> > Sep 18 18:25:58 cache-squid kernel: NET: 3324 messages suppressed
> >
> > at this level of traffic the linux kernel isnt able to even
> construct a
> > packet for a simple ping due to lack of buffer space. the machines
> are
> > well equipped with abt 512 mB ram
> > is there something that we cud do abt this ..
> > squid is working as a transparent cache ... duane's code red patch
> > which he had posted on the list sometimeback doesnt seem to work
> for
> > transparent wccp enabled caching
> > can we hv some sort of acl url_regex s to prevent these attacks..
> >
> > something like squid acting as an HTTP IDS infront of worm friendly
> IIS
> > servers.. we can hv squid just do attack prevention rather than
> caching
> > /accelerating ..
> > hoping for solutions
> > rgds
> > khizcode
>
>
> --
> Joe Cooper <joe@swelltech.com>
> Affordable Web Caching Proxy Appliances
> http://www.swelltech.com
>

__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
Received on Tue Sep 18 2001 - 23:57:00 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:16 MST