Re: [squid-users] SECURITY ALERT: Host header forgery detected on local

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 22 Dec 2013 14:09:14 +1300

On 21/12/2013 9:51 a.m., Dr.x wrote:
>
> hi ,
>
> i have this logs and wondering if it is harmful :
> im ==>>using squid 3.3.9
> Squid Cache: Version 3.3.9
> ==========================================================================
> 2013/12/20 15:41:00.747 kid1| SECURITY ALERT: Host header forgery detected
> on local=10.10.0.50:80 remote=x.x.x.x FD 573 flags=17 (local IP does not
> match any domain IP)
> 2013/12/20 15:41:00.747 kid1| SECURITY ALERT: By user agent:
> 2013/12/20 15:41:00.747 kid1| SECURITY ALERT: on URL:
> client9.dropbox.com:443
> 2013/12/20 15:41:00.747 kid1| abandoning local=10.10.0.50:80 remote=x.x.x.x
> FD 573 flags=17
> kid1| SECURITY ALERT: Host header forgery detected on local=10.10.0.50:80
> remote=x.x.x.x FD 163 flags=17 (local IP does not match any domain IP)
> 2013/12/20 15:41:29.611 kid1| SECURITY ALERT: By user agent:
> 2013/12/20 15:41:29.611 kid1| SECURITY ALERT: on URL: d.dropbox.com:443
> 2013/12/20 15:41:29.611 kid1| abandoning local=10.10.0.50:80 remote=x.x.x.x
> FD 163 flags=17
> ===========================================================================
>
> wish to clarify if it is harmfull log

Well, that varies.

This is demonstrating a client browser being told it is connecting to
:443 (HTTPS secure connection) which is actually being sent over port 80
to 10.10.0.50.

For the URL to appear like that without http:// or https:// and path
pieces it is most likely a CONNECT request being sent over port 80 to an
explicit proxy. Your MITM has just screwed that up by either terminating
the bad behaviour, or making it a CONNECT request directly to
10.10.0.50:80 which will fail at the SSL handshake which follows.

Amos
Received on Sun Dec 22 2013 - 01:09:25 MST

This archive was generated by hypermail 2.2.0 : Sun Dec 22 2013 - 12:00:04 MST