Squid Behavior to Ping Destination on Registered Ports

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid Behavior to Ping Destination on Registered Ports

Kevin Wong

My firewall (Juniper SRX) caught outbound ICMP flows using vulnerable ports before initiating outbound HTTP traffic.  I am running an updated Squid Proxy on Ubuntu 16.04.  Can anybody explain or confirm the Squid behavior?

Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.1/1024->91.189.91.23/42518 0x0 icmp 1(8) deny vlan1 uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny

Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.1/1280->91.189.91.26/42518 0x0 icmp 1(8) deny vlan1 uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny

Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.1/1536->91.189.91.26/42518 0x0 icmp 1(8) deny vlan1 uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny


For more details and flow examples, I posted on serverfault:

https://serverfault.com/questions/879394/squid-proxy-using-vulnerable-ports


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Behavior to Ping Destination on Registered Ports

Antony Stone
On Saturday 18 November 2017 at 21:21:38, Kevin Wong wrote:

> My firewall (Juniper SRX) caught outbound ICMP flows using vulnerable ports

That makes no sense.  ICMP doesn't use port numbers.

> before initiating outbound HTTP traffic.  I am running an updated Squid
> Proxy on Ubuntu 16.04.  Can anybody explain or confirm the Squid behavior?

What ICMP traffic are you blocking and why?


Antony.

--
I bought a book about anti-gravity.  The reviews say you can't put it down.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Behavior to Ping Destination on Registered Ports

Kevin Wong
In reply to this post by Kevin Wong

Date: Sat, 18 Nov 2017 22:06:31 +0000
From: Antony Stone <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] Squid Behavior to Ping Destination on
        Registered      Ports
Message-ID: <[hidden email]>
Content-Type: Text/Plain;  charset="iso-8859-15"

On Saturday 18 November 2017 at 21:21:38, Kevin Wong wrote:

> My firewall (Juniper SRX) caught outbound ICMP flows using vulnerable ports

That makes no sense.  ICMP doesn't use port numbers.


That is why I asked the list and was a follow up question if somebody replied it is "normal traffic to find the path to the destination or proxies in between". 
 
> before initiating outbound HTTP traffic.  I am running an updated Squid
> Proxy on Ubuntu 16.04.  Can anybody explain or confirm the Squid behavior?

What ICMP traffic are you blocking and why?


Besides some basic IDS rules, I'm not blocking ICMP traffic.  What's being blocked are all ports that are not explicitly allowed outbound.  In this case, ports 1024, 1280, and 1536 were blocked and 80/tcp, 53/udp are allowed outbound.
 

Antony.

--
I bought a book about anti-gravity.  The reviews say you can't put it down.

                                                   Please reply to the list;
                                                         please *don't* CC me.



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Behavior to Ping Destination on Registered Ports

Antony Stone
On Saturday 18 November 2017 at 22:37:20, Kevin Wong wrote:

> > Date: Sat, 18 Nov 2017 22:06:31 +0000
> > From: Antony Stone <[hidden email]>
> > To: [hidden email]
> > Subject: Re: [squid-users] Squid Behavior to Ping Destination on
> >
> >         Registered      Ports
> >
> > Message-ID: <[hidden email]>
> > Content-Type: Text/Plain;  charset="iso-8859-15"
> >
> > On Saturday 18 November 2017 at 21:21:38, Kevin Wong wrote:
> > > My firewall (Juniper SRX) caught outbound ICMP flows using vulnerable
> > > ports
> >
> > That makes no sense.  ICMP doesn't use port numbers.
>
> That is why I asked the list and was a follow up question if somebody
> replied it is "normal traffic to find the path to the destination or
> proxies in between".

So what does your firewall mean by catching "outbound ICMP flows using
vulnerable ports"?

What exactly is it catching and complaining about?

> > > before initiating outbound HTTP traffic.  I am running an updated Squid
> > > Proxy on Ubuntu 16.04.  Can anybody explain or confirm the Squid
> > > behavior?
> >
> > What ICMP traffic are you blocking and why?
>
> Besides some basic IDS rules, I'm not blocking ICMP traffic.

Well:

Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session
denied 10.1.1.1/1536->91.189.91.26/42518 0x0 icmp 1(8) deny vlan1
uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny

certainly looks like blocked ICMP traffic to me.

> What's being blocked are all ports

So, that means UDP and TCP (but not ICMP)

> that are not explicitly allowed outbound.  In this case, ports 1024, 1280,
> and 1536 were blocked and 80/tcp, 53/udp are allowed outbound.

Where are those blocked port numbers in your firewall logs?


Antony.

--
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I
forgot to feed the dog!"

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Behavior to Ping Destination on Registered Ports

Amos Jeffries
Administrator
In reply to this post by Kevin Wong
On 19/11/17 11:37, Kevin Wong wrote:

>
> From: Antony Stone
>
>     On Saturday 18 November 2017 at 21:21:38, Kevin Wong wrote:
>
>      > My firewall (Juniper SRX) caught outbound ICMP flows using
>     vulnerable ports
>
>     That makes no sense.  ICMP doesn't use port numbers.
>
>
> That is why I asked the list and was a follow up question if somebody
> replied it is "normal traffic to find the path to the destination or
> proxies in between".
>

Squid does use ICMP echo to determine RTT to peers and servers to select
the fastest route. But it does not use ports, even sets the port in the
payload to 0 so DPI should not mistake it.



>      > before initiating outbound HTTP traffic.  I am running an updated
>     Squid
>      > Proxy on Ubuntu 16.04.  Can anybody explain or confirm the Squid
>     behavior?
>
>     What ICMP traffic are you blocking and why?
>
>
> Besides some basic IDS rules, I'm not blocking ICMP traffic.  What's
> being blocked are all ports that are not explicitly allowed outbound.  
> In this case, ports 1024, 1280, and 1536 were blocked and 80/tcp, 53/udp
> are allowed outbound.
>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users