Re: [squid-users] weird traffic

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 24 Sep 2009 10:39:03 +1200

On Wed, 23 Sep 2009 10:17:31 -0400, Matthew Morgan <atcs.matthew_at_gmail.com>
wrote:
> Amos Jeffries wrote:
>> On Tue, 22 Sep 2009 11:58:16 -0400, Matthew Morgan
>> <atcs.matthew_at_gmail.com>
>> wrote:
>>
>>> Leonardo Carneiro wrote:
>>>
>>>> you could bind squid to only listen the LAN interface. doind this, no
>>>> one will be able to estabilish a external connection with squid.
>>>>
>>> I'll try that, but I thought my firewall rules were taking care of
>>> that. They may not be though...I'm just recently learning iptables.
>>> I'll post back with the results.
>>>
>>> Thanks!
>>>
>>>
>>
>> IIRC llnw.net are one of the providers for a lot of video content. If
>> your
>> Squid is configured to download a complete file on range requests and
one
>> of your users started downloading a video then stopped Squid would show
>> this behavior.
>>
> Ah! This may be it. My squid IS set to download an entire file on
> range request so that windows updates will cache properly. We're
> actually a computer shop, so there is no telling what type of downloads
> the virus infested customer machines may initiate and drop as we work on
> them.
>
> Thanks for the tip!
>
> As for Leonardo Carneiro's advice about only binding to the local port:
> it may just be my imagination, but it seems like that has cut down on
> the length of time these strange connections last. As I said, I'm not
> really a networking expert, so I don't even know if that makes sense.
> Either way, it was a security measure I should have taken in the first
> place.

Ah, since you have untrusted machines internally. I'd suggest locking down
the access even further. So that only known machines have random access
out. The ones being fixed allowed out to a whitelist of sites (AV vendors
and WU sources) so the auto-updates can work easily with less worry about
viral requests.

The squid logs can be grep'd during/after to see what it attempted, or the
sqstat web script to show current connections for live tracking. That to
give a fair idea if there was any viral activity or if the whitelist need
to be updated.

Amos

>> Though yeah, a firewall spot-check is also good when strange things
>> happen.
>>
>> Amos
>>
>>
>>>> Matthew Morgan escreveu:
>>>>
>>>>> I have squid set up as a transparent proxy. It has two interfaces:
>>>>> eth0 (internet facing wan) and eth1 (local). I'm using iptables to
>>>>> masquerade the packets from my local network on eth1 and redirect
>>>>> them to squid's port. All this seems to work fine.
>>>>>
>>>>> The thing is, I keep seeing long periods of high incoming traffic on
>>>>> eth0, but low outgoing traffic on eth0, and nearly no traffic on
>>>>> eth1. Every time I see this, the data is always coming from either
>>>>> llnw.net or msecn.net. Both of these are legitimate content delivery

>>>>> networks. When I inspect the traffic I'm getting with
>>>>> tcpdump/wireshark, none of the traffic from these domain is going
>>>>> through to eth1 at all. I can confirm that this traffic is going to
>>>>> squid, since a netstat -p shows squid as the program with the
>>>>> connection open.
>>>>>
>>>>> What could be causing this? I tried turning off persistent
>>>>> connections in case a client was making the connection and then
>>>>> ignoring the data, but I'm not sure if that's possible or the
>>>>> problem. I'm not a network expert.
>>>>>
>>>>>
>>
>>
Received on Wed Sep 23 2009 - 22:39:08 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 24 2009 - 12:00:05 MDT