Re: [squid-users] weird traffic coming from my squid box to clients on port 3128

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 04 Feb 2009 17:39:39 +1300

Bostonian wrote:
> with netstat -n |grep SYN_RECV command, it shows that a few foreign hosts
>
> tcp 0 xx.xx.xx.xxx.3128 yy.yy.yy.yyy.1433 SYN_RECV
> ....
>
> With netstat -n|grep ESTABLISHED command, it show that a few foreign host
>
> tcp 0 xx.xx.xx.xxx.3128 zz.zz.zzz.zz1430 SYN_RECV
> ....
>
> Is this normal?

Maybe, maybe not.

Check your access.log to see what is happening to those connections.
They may be attack attempts that are denied safely by squid.

Amos

>
>
> On Mon, Feb 2, 2009 at 6:50 PM, Bostonian <ygwen77_at_gmail.com> wrote:
>> I am a newbie here. Does "doing interception on inbound connections"
>> mean that my squid box intercepts the client's request and returns the
>> traffic from port 3128? Is this the normal way through which squid
>> returns the request to its clients?
>> Thank you.
>>
>> On Mon, Feb 2, 2009 at 6:35 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>> Dear All:
>>>>
>>>> I am running a squid 3.0 on a centos box and set it as
>>>>
>>>> http_port 3128 transparent
>>>>
>>>> It has been working well for a while. Then I noticed a traffic spike.
>>>> tcpdump shows
>>>> that there are a lot of traffic from port 3128 to other clients. I
>>>> have disabled incoming
>>>> traffic to 3128 from outside.
>>>>
>>>> What could be the reason? Someone hacked my cache?
>>>>
>>>> Best Regards,
>>>> Young Wen
>>>>
>>> Perhapse you are doing interception on inbound connections somehow?
>>> NAT will break past the firewall in that case.
>>>
>>> Amos
>>>
>>>
>>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE12
   Current Beta Squid 3.1.0.4
Received on Wed Feb 04 2009 - 04:39:34 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 05 2009 - 12:00:01 MST