[squid-users] [squid-users]: How to prevent IP Address scanning using Squid? from Hwee Khoon, Neo on 2003-11-30 (squid-users)

From: Hwee Khoon, Neo <hweekhoon.neo@dont-contact.us>
Date: Mon, 1 Dec 2003 10:12:59 +0800

Hi everyone,

We notice that a number of our cache user are doing a port 80 scan
across a range of IP addresses. As the destination IP are rather random,
is there any way we can configure Squid to deny such a request pattern?

Squid's access log--------------------------------------------------

1069968709.859 3404 OURIPADDRESS TCP_MISS/000 0 GET =
http://218.69.28.7/ - NONE/- -
1069968709.859 3404 OURIPADDRESS TCP_MISS/000 0 GET =
http://218.69.28.8/ - NONE/- -
1069968709.859 3404 OURIPADDRESS TCP_MISS/000 0 GET =
http://218.69.28.9/ - NONE/- -
1069968709.859 3380 OURIPADDRESS TCP_MISS/000 0 GET =
http://218.69.28.10/ - NONE/- -
1069968709.859 3380 OURIPADDRESS TCP_MISS/000 0 GET =
http://218.69.28.11/ - NONE/- -
1069968709.859 3380 OURIPADDRESS TCP_MISS/000 0 GET =
http://218.69.28.12/ - NONE/- -
1069968709.859 3369 OURIPADDRESS TCP_MISS/000 0 GET =
http://218.69.28.13/ - NONE/- -
1069968710.088 3599 OURIPADDRESS TCP_MISS/000 0 GET =
http://218.69.28.15/ - NONE/- -

HTTP Header------------------------------------------------

  GET / HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jp
  eg, image/pjpeg, */*..User-Agent: Mozilla/4.0 (compatible; M
  SIE 5.5; Windows 98)..Host: 218.69.28.11..Connection: Keep-
  Alive....

Thank!
Hwee Khoon
Received on Sun Nov 30 2003 - 19:13:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:43 MST