Re: [squid-users] weird traffic coming from my squid box to clients on port 3128

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 05 Feb 2009 19:34:29 +1300

Bostonian wrote:
> Thank you, Amos.
>
> From access.log, these client IPs with state of Established seem to
> have some hits from cached contents.
>
> I have also noticed that squid.ip.randomport. but majority of
> established tcp connections is using 3128.

Hmm, okay doesn't sound good.

Can I see your iptables firewall NAT rules? anything involving port 80
or 3128.
If you have to fudge IPs please keep it clear what IPs are for, ie use
SQUIDIP as replacement for the squid box IP.

Amos

>
> Any further idea on this issue is highly appreciated.
>
> On Tue, Feb 3, 2009 at 8:39 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Bostonian wrote:
>>> with netstat -n |grep SYN_RECV command, it shows that a few foreign hosts
>>>
>>> tcp 0 xx.xx.xx.xxx.3128 yy.yy.yy.yyy.1433 SYN_RECV
>>> ....
>>>
>>> With netstat -n|grep ESTABLISHED command, it show that a few foreign host
>>>
>>> tcp 0 xx.xx.xx.xxx.3128 zz.zz.zzz.zz1430 SYN_RECV
>>> ....
>>>
>>> Is this normal?
>> Maybe, maybe not.
>>
>> Check your access.log to see what is happening to those connections. They
>> may be attack attempts that are denied safely by squid.
>>
>> Amos
>>
>>>
>>> On Mon, Feb 2, 2009 at 6:50 PM, Bostonian <ygwen77_at_gmail.com> wrote:
>>>> I am a newbie here. Does "doing interception on inbound connections"
>>>> mean that my squid box intercepts the client's request and returns the
>>>> traffic from port 3128? Is this the normal way through which squid
>>>> returns the request to its clients?
>>>> Thank you.
>>>>
>>>> On Mon, Feb 2, 2009 at 6:35 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>>>> wrote:
>>>>>> Dear All:
>>>>>>
>>>>>> I am running a squid 3.0 on a centos box and set it as
>>>>>>
>>>>>> http_port 3128 transparent
>>>>>>
>>>>>> It has been working well for a while. Then I noticed a traffic spike.
>>>>>> tcpdump shows
>>>>>> that there are a lot of traffic from port 3128 to other clients. I
>>>>>> have disabled incoming
>>>>>> traffic to 3128 from outside.
>>>>>>
>>>>>> What could be the reason? Someone hacked my cache?
>>>>>>
>>>>>> Best Regards,
>>>>>> Young Wen
>>>>>>
>>>>> Perhapse you are doing interception on inbound connections somehow?
>>>>> NAT will break past the firewall in that case.
>>>>>
>>>>> Amos
>>>>>
>>>>>
>>>>>
>>
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE12
>> Current Beta Squid 3.1.0.4
>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5
Received on Thu Feb 05 2009 - 06:34:20 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 05 2009 - 12:00:01 MST