Android client flooding squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Android client flooding squid

Heiler Bemerguy


Hi guys,

Everyday I get tons of these GETs, a lot from the same IP, then a lot from other IPs of our local intranet (we have some APs plugged on our intranet). This is happening since forever, but I'm trying to understand/get rid of it.

Any ideas?

1513079234.177      1 10.20.5.2 TCP_HIT/301 619 GET http://172.217.28.132/ - HIER_NONE/- text/html
1513079234.280      1 10.20.5.2 TCP_HIT/301 619 GET http://172.217.28.132/ - HIER_NONE/- text/html
1513079234.379      1 10.20.5.2 TCP_HIT/301 619 GET http://172.217.28.132/ - HIER_NONE/- text/html
1513079234.485      1 10.20.5.2 TCP_HIT/301 619 GET http://172.217.28.132/ - HIER_NONE/- text/html
1513079234.587      1 10.20.5.2 TCP_HIT/301 619 GET http://172.217.28.132/ - HIER_NONE/- text/html
1513079234.695      1 10.20.5.2 TCP_HIT/301 619 GET http://172.217.28.132/ - HIER_NONE/- text/html
1513079234.802      1 10.20.5.2 TCP_HIT/301 619 GET http://172.217.28.132/ - HIER_NONE/- text/html
1513079235.187      1 10.20.5.2 TCP_HIT/301 619 GET http://172.217.28.132/ - HIER_NONE/- text/html
1513079235.291      2 10.20.5.2 TCP_HIT/301 619 GET http://172.217.28.132/ - HIER_NONE/- text/html

tcpdumped, client request:

GET http://172.217.28.132/ HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.3; GT-I9505 Build/JSS15J)
Host: www.google.com
Connection: close

proxy response:

HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Tue, 12 Dec 2017 10:34:02 GMT
Expires: Thu, 11 Jan 2018 10:34:02 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 14658
X-Cache: HIT from proxy
Via: 1.1 proxy (squid)
Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

-- 
Atenciosamente / Best Regards,

Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Android client flooding squid

Amos Jeffries
Administrator
On 13/12/17 03:46, Heiler Bemerguy wrote:

>
> Hi guys,
>
> Everyday I get tons of these GETs, a lot from the same IP, then a lot
> from other IPs of our local intranet (we have some APs plugged on our
> intranet). This is happening since forever, but I'm trying to
> understand/get rid of it.
>
> Any ideas?
>

The client software is broken.

1) using explicit URLs with raw-IPv4 to make its requests, and ..

2) performing Host header forgery. www.google.com is hosted in Googles
servers assigned the 216/8 IP range not the 172/8 range. And ..

3) not obeying the clear instruction that the given Domain is *only*
available when fetched by name (not by raw-IP).


Your options are to either;

  get the client software fixed

OR,
  configure ACLs detecting when such clients deliver those raw-IP URLs
and reject them with a 403 instead of a 301,

That can be done with an external ACL helper in http_reply_access that
tracks 301 + Content-Location and which client they were sent to.
Rejecting them with a 403 after an arbitrary number of repeats.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users