Hi There,
Pardon me for long email. Actually I faced a DOS attack in a university
setup and want to get help to avoid it in future. I am using squid following
version
squid -v
Squid Cache: Version 3.4.3
configure options: '--build=x86_64-unknown-linux-gnu'
'--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking' '--enable-eui'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'
'--enable-ssl' '--enable-ssl-crtd' '--with-aio' '--with-default-user=squid'
'--with-filedescriptors=65535' '--with-dl' '--with-openssl'
'--with-pthreads' '--disable-arch-native'
'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
One day I got following error in squid cache log ; mention that after every
4 to 5 minutes the error appears and squid child process crashed.
2014/05/23 14:42:55 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
2014/05/23 14:45:39 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
2014/05/23 14:49:47 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
2014/05/23 14:53:55 kid1| assertion failed: store.cc:915: "store_status ==
STORE_PENDING"
.... and so on
The system log is showing as below:
May 23 14:42:56 proxy1 squid[3502]: Squid Parent: (squid-1) process 18622
exited due to signal 6 with status 0
May 23 14:42:59 proxy1 squid[3502]: Squid Parent: (squid-1) process 18678
started
May 23 14:45:40 proxy1 squid[3502]: Squid Parent: (squid-1) process 18678
exited due to signal 6 with status 0
May 23 14:45:43 proxy1 squid[3502]: Squid Parent: (squid-1) process 18734
started
May 23 14:49:48 proxy1 squid[3502]: Squid Parent: (squid-1) process 18734
exited due to signal 6 with status 0
May 23 14:49:51 proxy1 squid[3502]: Squid Parent: (squid-1) process 18794
started
May 23 14:53:56 proxy1 squid[3502]: Squid Parent: (squid-1) process 18794
exited due to signal 6 with status 0
May 23 14:53:59 proxy1 squid[3502]: Squid Parent: (squid-1) process 18855
started
..... and so on.
After a day of struggle I denied some IP subnet from accessing the squid
cache and the issue of this assertion failed is resolved.
In this regard apparently it seems that some denial of service attack is
executed. But I from access log not been able to point out who could be the
culprit of that and further what query made him possible for exploiting this
vulnerability of the latest version of squid 3.4.3.
Please help me in mitigating so that the future attack of such kind can be
immediately blocked or relevant patched to be added to squid.
Thanks for your support in advance.
Farooq Bhatti
--- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.comReceived on Tue May 27 2014 - 04:30:15 MDT
This archive was generated by hypermail 2.2.0 : Tue May 27 2014 - 12:00:13 MDT