too may error requests

too may error requests

[Askar Ali Khan]

hi all,
we are small town base ISP for dialup users, from sometime we are
getting too many request like .... on our squid access.log

203.xx.xxx.62   | NONE/413                     | 1653     | NONE 
|error:request-too-large

its getting worse if we let the client connected for a while who
sending such request, after sometime (within a minutes) if we check
the client sending errors with
netstat -taun | grep IP | wc -l 
500
500 is too many connection (and sometimes its somewhere in 700-800)
from a single client normally it would be 10 or 20 maximum.

And here is the tcpdum -n -t host IpOfClient-error-request-too-large

3.89.146.62.4563 > 203.89.149.112.http: S 4257159308:4257159308(0) win
8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4579 > 203.89.146.213.6129: S 4257825751:4257825751(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4572 > 203.89.146.213.2745: S 4257614747:4257614747(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4608 > 203.248.165.97.2745: S 4259124906:4259124906(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4612 > 203.248.165.97.3127: S 4259306850:4259306850(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4605 > 203.171.104.23.6129: S 4258977243:4258977243(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4592 > 203.89.210.235.1025: S 4258477049:4258477049(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4604 > 203.171.104.23.3127: S 4258938239:4258938239(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4598 > 203.89.210.235.http: S 4258699747:4258699747(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)

It just a small snapshot :)

As we categories this sorta client with virsu infected and got
disconnect him forcefully  :( not a good practice, however its
necessary to get rid of such shits and also sometime block the user
until he get cleaned his system.

1) Alright im not going to ask squid related things in this mailing
list, however I love to know if someone knows after watching tcpdump
output what sorta request he is sending and is he really infected with
some type of virues, spyware?

2) Is it possible to block his "error:request-too-large" requests with iptables?


Any help in this requed will be greatly appreciated as before :)

Regards
Askar Ali

RE: too may error requests

[Jason Opperisano]

> 203.xx.xxx.62   | NONE/413                     | 1653     | NONE
> |error:request-too-large

Look in your squid.conf file for the directives:

	request_header_max_size
	request_body_max_size

In 2.5 the former defaults to 10 KB, the latter defaults to no limit.

> And here is the tcpdum -n -t host IpOfClient-error-request-too-large
>
> 3.89.146.62.4563 > 203.89.149.112.http: S 4257159308:4257159308(0) win
> 8760 <mss 1460,nop,nop,sackOK> (DF)

That is an HTTP (or port 80 at least) and would be part of the problem you're having.

> 203.89.146.62.4579 > 203.89.146.213.6129: S 4257825751:4257825751(0)
> win 8760 <mss 1460,nop,nop,sackOK> (DF)
> 203.89.146.62.4572 > 203.89.146.213.2745: S 4257614747:4257614747(0)
> win 8760 <mss 1460,nop,nop,sackOK> (DF)
> 203.89.146.62.4608 > 203.248.165.97.2745: S 4259124906:4259124906(0)
> win 8760 <mss 1460,nop,nop,sackOK> (DF)
> 203.89.146.62.4612 > 203.248.165.97.3127: S 4259306850:4259306850(0)
> win 8760 <mss 1460,nop,nop,sackOK> (DF)
> 203.89.146.62.4605 > 203.171.104.23.6129: S 4258977243:4258977243(0)
> win 8760 <mss 1460,nop,nop,sackOK> (DF)
> 203.89.146.62.4592 > 203.89.210.235.1025: S 4258477049:4258477049(0)
> win 8760 <mss 1460,nop,nop,sackOK> (DF)
> 203.89.146.62.4604 > 203.171.104.23.3127: S 4258938239:4258938239(0)
> win 8760 <mss 1460,nop,nop,sackOK> (DF)

None of the above packets are destined for port 80.  They are for:

6129 - Dameware
2745 - Beagle Virus
3127 - MyDoom
1025 - Various MS RPC & LSA exploits

So yeah--I'd say that the host at 203.89.146.62 has some issues...

> 1) Alright im not going to ask squid related things in this mailing
> list, however I love to know if someone knows after watching tcpdump
> output what sorta request he is sending and is he really infected with
> some type of virues, spyware?

Oops, guess I already answered those...

> 2) Is it possible to block his "error:request-too-large" requests with iptables?

Surely...IIRC you are transparently redirecting your internal traffic to the squid proxy on the same machine as netfilter.  In that case, you need to catch this traffic *prior* to the redirect.  Somewhere in your script you have:

	iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
	  -j REDIRECT --to-port 3128

So, before that, you need:

	iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 \
	  -s 203.89.146.62 -j DROP

"-I" will make it the first rule, "-I PREROUTING X", will insert it at rule X...

In addition to keeping this machine from bashing your squid proxy, I would go ahead and block all that other virus nastiness with:

	iptables -I FORWARD -s 203.89.146.62 -j DROP

Same caveats for use of "-I" apply...

Now--if you want to be a nice guy...instead of just blocking all access from this machine without informing the user--you could do this (again--this probably belongs on a squid mailing list):

Forget the PREROUTING DROP rule (but keep the FORWARD DROP rule), and allow the user to make it to the squid proxy.  Add the following to squid.conf:

	acl INFECTED src 203.89.146.62/32
	# this must go somewhere before your line "http_access allow localnets"
	http_access deny INFECTED
	deny_info infected.html INFECTED

Create a file called infected.html in the directory defined as "error_directory" and place in it something along the lines of:

  Your machine has been denied access for being infected with malware (virii, trojans, spyware, backdoors).

  Please contact Tech Support at [ ... ] for help resolving this issue...

In my experience, most users don't know they are infected, but just cutting off their network access without letting them know why isn't really all that productive either.

Sorry for getting a little OT with the squid stuff...

-j