fre 2007-02-23 klockan 19:07 +0000 skrev Paul:
> I recently found internet access very very slow on my network, and a
> little investigation showed up a lot of network activity on a machine I
> keep in the DMZ. This Suse 10 machine hosts a SSHD, Apache2 server and
> Squid/Dansguardian.The access.log for squid was full of lines like :
>
> 1172143803.288 796 127.0.0.1 TCP_MISS/302 498 GET
> http://ad.bannerconnect.net/imp? - DIRECT/208.67.67.11 -
> 1172143803.352 287 127.0.0.1 TCP_MISS/200 1283 GET
> http://media.fastclick.net/w/get.media? -
> DIRECT/63.215.202.application/x-javascript
Looks like someone found a way to bounce via your server using it as an
open proxy.. exactly how is unclear from these logs alone but it seems
there is some kind of proxy on your server allowing an indirect
connection to Squid.
Is this a normal proxy, or a transparently intercepting proxy?
What ports is listening on the server?
What ports is allowed in via the firewall?
Any firewall NAT rules remapping ports? (i.e. transparent interception
of port 80 traffic to a different port)
I do not think you are being part of a DDoS, but rather that people
abuse your server as an open proxy bypassing filters of their own
network or hiding their identity...
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST