Re: [squid-users] TCP_MISS/200 in logfile!

Numan,

There are so many solutions to block things like that.
1> you can put an inline IDS before Squid...IDS will detect attack machines
via IP and it will block these IPs from router or ipchains, iptables, ipfw
if you are using Unix like os..it's depend on inline IDS settings.
2> you can filter these type of request via squid acl but it will not
decrease load on your network. better to block these IPs for port 80 :).
3> One of the best solution if you remembred NIMDA or Code red days. :). I
guess you have cisco router if yes. then check the way how u can block
these type of attcks shown below...

first check your IOS

      7200
     12.1(5)T

      7100
     12.1(5)T

      3660
     12.1(5)T

      3640
     12.1(5)T

      3620
     12.1(5)T

      2600
     12.1(5)T

      1700
     12.2(5)T

Note: You need to enable Cisco Express Forwarding (CEF) in order to use
Network-Based Application Recognition (NBAR).

1>Router(config)#class-map match-any http-hacks
  Router(config-cmap)#match protocol http url
"*NONE/*"2>Router(config)#policy-map mark-inbound-http-hacks
  Router(config-pmap)#class http-hacks
  Router(config-pmap)#set ip dscp 1
3>Router(config)#interface serial 0/0 Router(config-if)#service-policy
input mark-inbound-http-hacks4>Router(config)#access-list 105 deny ip any
any dscp 1
  Router(config)#access-list 105 permit ip any any
5>Router(config)#interface ethernet 0/0
  Router(config-if)#ip access-group 105 out
 I'm sure it will work like charm. :)

-- 
Best Regs,
Masood Ahmad Shah
System Administrator
^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
|   * * * * * * * * * * * * * * * * * * * * * * * *
|   Fibre Net (Pvt) Ltd. Lahore, Pakistan
|   Tel: +92-42-6677024
|   Mobile: +92-300-4277367
|   http://www.fibre.net.pk
|   * * * * * * * * * * * * * * * * * * * * * * * *
^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
----- Original Message ----- 
From: "Nauman Malik" <naumanm@khi.wol.net.pk>
To: "Henrik Nordstrom" <hno@squid-cache.org>; "squid"
<squid-users@squid-cache.org>
Sent: Wednesday, September 10, 2003 3:48 PM
Subject: Re: [squid-users] TCP_MISS/200 in logfile!
Yes...that is true...But is it possible that we add some ACL or filter in
squid to block these types of requests?
*********** REPLY SEPARATOR  ***********
On 9/10/2003 at 12:14 PM Henrik Nordstrom wrote:
>On Wednesday 10 September 2003 11.18, Nauman Malik wrote:
>> I have lots of TCP_MISS/504 in log files. It slows down my proxy as
>> well. Any idea?.
>>
>>
>> 1063160536.044 509082 202.15.52.45 TCP_MISS/504 1021 GET
>> http://202.100.131.202/ - NONE/- - 1063160536.044 509617
>> 202.15.52.45 TCP_MISS/504 1021 GET http://202.100.132.189/ - NONE/-
>> - 1063160537.027 509295 202.15.52.45 TCP_MISS/504 1019 GET
>> http://202.100.132.28/ - NONE/- - 1063160537.027 509535
>> 202.15.52.45 TCP_MISS/504 1019 GET http://202.100.132.30/ - NONE/-
>> - 1063160537.027 509325 202.15.52.45 TCP_MISS/504 1021 GET
>> http://202.100.131.200/ - NONE/- - 1063160537.027 419656
>> 202.15.52.45 TCP_MISS/504 1021 GET http://202.100.160.153/ - NONE/-
>> - 1063160539.014 509486 202.15.52.45 TCP_MISS/504 1021 GET
>> http://202.100.132.238/ - NONE/- - 1063160539.014 509342
>> 202.15.52.45 TCP_MISS/504 1021 GET http://202.100.133.206/ - NONE/-
>> -
>
>Most likely the client with IP 202.15.52.45 is infected by a
>virus/worm trying to propagate itself to random IIS servers on the
>net or otherwise scanning the network for HTTP servers via your
>proxy.
>
>Regards
>Henrik
>
>-- 
>Donations welcome if you consider my Free Squid support helpful.
>https://www.paypal.com/xclick/business=hno%40squid-cache.org
>
>If you need commercial Squid support or cost effective Squid or
>firewall appliances please refer to MARA Systems AB, Sweden
>http://www.marasystems.com/, info@marasystems.com