Re: [squid-users] TCP Flooding attack and DNS Poisioning attack

From: <squid_at_sourcesystemsonline.com>
Date: Thu, 14 Apr 2011 10:05:05 -0400

Good day,
Thanks all for concern. The network topology is as follow:
Workstations are installed with Windows 7 Pro with spyware terminator with
integrated ClamAV all link to a Cisco 2950 switch and a multihome server
with Windows 7 Ultimate with ESET AV and Squid has one NIC connected to
the Cisco switch for LAN connection and the other to internet through
broadband device. Windows 7 on the server is used to share the internet
connection and the workstation browsers are configure to use server IP and
port 3128.
Thanks for your assistance,
regards,
Yomi

> On 12/04/2011 08:37, Amos Jeffries wrote:
>
>> On 12/04/11 15:51, Eliezer Croitoru wrote:
>>> On 12/04/2011 06:15, Amos Jeffries wrote:
>>>
>>>> On Mon, 11 Apr 2011 22:34:02 +0300, Eliezer Croitoru wrote:
>>>>> On 11/04/2011 20:53, squid_at_sourcesystemsonline.com wrote:
>>>>>
>>>>>> Good day,
>>>>>> Some times when i check my ESET Antivirus LogFile, it shows that
>>>>>> some
>>>>>> activities of clients in my network are attacking my network
>>>>>> especially
>>>>>> squid port (3128) with TCP Flooding or DNS Poisioning. I check the
>>>>>> internet for there meaning and found out that they are not good
>>>>>> activities
>>>>>> on any network.
>>>>> What?
>>>>> it's nice t know that you do have tcp flooding.. or what so..
>>>>> but the problem is that the AV is not providing any details on how it
>>>>> is getting this conclusion.
>>>>> i would start with a simple wireshark on this specific machine that
>>>>> you are getting the warnings
>>>>> in case you do have some problems on your network setup.
>>>>> by the way proxy traffic can indeed in a way be misunderstood as TCP
>>>>> flood and DNS spoofer.
>>>>
>>>> NOTE: Usually TCP flooding is a warning thrown up by the kernel when
>>>> TCP has a lot of new connections made. A busy proxy will easily hit
>>>> the default thresholds for this.
>>>>
>>>> TCP offers a feature called "SYN cookies" which can help with this
>>>> problem.
>>>>
>>>> see
>>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/possible-SYN-flooding-on-port-3128-Sending-cookies-td2242687.html
>>>>
>>>>
>>> so it's almost sure that the same mechanism that works on linux
>>> kernel..
>>> is been used on the eset..
>>> the thing is that we are talking about the AV that sits on other
>>> machine..
>>> so, it's seems kind of odd for the AV\FW on other machine to actually
>>> be
>>> 100% reliable on the analysis in this case?
>>>
>>
>> Yes. Is it getting a copy of all the packets? either by port mirroring
>> or being a bridge?
>> It could be checking the same things, but without the benefits of
>> tuning the Squid box has.
>>
>> How its getting the poisoning attack conclusion baffles me a bit.
>> Though working blind as to how the EV integrates with the network that
>> is not hard.
>>
>> Amos
> I work with eset AV and FW systems and as far as i know they dont have
> IDS systems so it seems to me a malfunctioning or flooded switch
> cause most of the IDS systems knows how to understand network
> streams.(or at least suppose to)
> i really would like to know the network topology in this place :)
>
> Eliezer
>
>
Received on Thu Apr 14 2011 - 14:05:12 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 15 2011 - 12:00:03 MDT