Re: [squid-users] is it a DOS attack ??

From: Hwee Khoon, Neo <hweekhoon.neo@dont-contact.us>
Date: Tue, 17 Feb 2004 08:55:19 +0800

acl msurl url_regex ^http://www\.microsoft\.com
acl msurlpath urlpath_regex /$ #no
requested object
acl msurlbro browser .* #any user
agent

http_access allow msurl msurlbro #allow user whose
browser sends user agent header
http_access deny msurl msurlpath #deny those who does'nt

deny_info TCP_RESET msurl msurlpath #do'nt bother sending a reply to the
virus

to ensure that everything works, check your access log and u should seee
1076806934.151 451 202.133.44.214 TCP_DENIED 0 GET
http://www.microsoft.com/ - NONE/- -

Rgds
HK
----- Original Message -----
From: "Danish Khan" <danish.khan@go4b.net>
To: "'Hwee Khoon, Neo'" <hweekhoon.neo@pacific.net.sg>; "'Duane Wessels'"
<wessels@squid-cache.org>
Cc: <squid-users@squid-cache.org>
Sent: Monday, February 16, 2004 9:52 PM
Subject: RE: [squid-users] is it a DOS attack ??

> Thx for the reply. In this scenario how I blocked those requests on my
Proxy
> which are carrying that doom virus. i.e how I trace them.
>
> Thx
> Regards,
> Danish Khan
>
> -----Original Message-----
> From: Hwee Khoon, Neo [mailto:hweekhoon.neo@pacific.net.sg]
> Sent: Monday, February 16, 2004 1:04 PM
> To: danish.khan@go4b.net; 'Duane Wessels'
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] is it a DOS attack ??
>
> try and access www.microsoft.com from your squid server, if you ca'nt get
> thru, it means microsoft has blocked you out.
>
> if you are getting alot of request to www.microsoft.com without any
> user-agent header and request object, some machines using your proxy could
> have been infected with mydoom.c virus and tries to flood the website with
> requests
>
> try and blocked these request out by denying request that does not have
any
> user-agent header inside squid.conf
>
> rgds
> hk
>
>
> ----- Original Message -----
> From: "Danish Khan" <danish.khan@go4b.net>
> To: "'Duane Wessels'" <wessels@squid-cache.org>
> Cc: <squid-users@squid-cache.org>
> Sent: Sunday, February 15, 2004 12:35 PM
> Subject: RE: [squid-users] is it a DOS attack ??
>
>
> > Yea I can saw the forwarding loop thing in cache.log.. but plz tell me
in
> > detail that how I overcome that.
> >
> > Regards
> >
> > Danish Khan
> >
> > -----Original Message-----
> > From: Duane Wessels [mailto:wessels@squid-cache.org]
> > Sent: Sunday, February 15, 2004 5:51 AM
> > To: Danish Khan
> > Cc: squid-users@squid-cache.org
> > Subject: RE: [squid-users] is it a DOS attack ??
> >
> >
> >
> >
> > On Sat, 14 Feb 2004, Danish Khan wrote:
> >
> > > I have configured my box with 8192 FD but still I got warnings of FD's
> and
> > > tooo many comm.(23) Port error WHY plz update :(
> > >
> > > Danish
> > >
> > > -----Original Message-----
> > > From: Mahmood Ahmed [mailto:braveheart@buraak.net.pk]
> > > Sent: Saturday, February 14, 2004 10:24 PM
> > > To: squid-users@squid-cache.org
> > > Subject: [squid-users] is it a DOS attack ??
> > >
> > > Hello List!
> > >
> > > I have been facing this strange problem for last 3 days. I hope some
one
> > > here will be able to shed light on it. I dont know wheather its a bug
or
> a
> > > virus or a DOS attack but it is hitting my squid box very hard. in my
> > access
> > >
> > > log i am seeing a lot of these.
> > >
> > > 1076806934.151 451 202.133.44.214 TCP_MISS/000 0 GET
> > > http://www.microsoft.com/ - NONE/- -
> > > 1076806934.163 461 202.133.44.214 TCP_MISS/000 0 GET
> >
> > This looks to me like a forwarding loop.
> >
> > Are you using HTTP interception?
> >
> > Duane W.
> >
>
>
Received on Mon Feb 16 2004 - 17:55:16 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST