[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Hijacking of Cache Servers

Subject: Re: [cobalt-users] Hijacking of Cache Servers
From: "Pete Starnes" <sysop@xxxxxxxx>
Date: Wed Feb 23 12:13:04 2000
Organization: NorthEast Texas Online, Inc.

That's a damned good question and one that's got me too.  The only thing I
can figure is that I also receive a skycache feed on my cache servers which
is now up to T3 speeds.  So if they even only had a halfway decent route to
me, then perhaps it's better for them pulling off pages that my skycache
feed has dumped on the cache servers rather than pulling it down from the
site itself.

But honestly I find that hard to believe.  It looks more like some hacker
attack to me.  Yesterday I noticed in the logs that my cache server had
pulled down an entire porn site that was subscription based.  It looks like
to me maybe there is some hacker tool floating around that may have a list
of vulnerable cache servers in it that will use the cache server to request
the documents and then download them from the cache server.  In this way
they are able to pull down an entire site before someone knows that someones
username/password has been compromised.  They get it sucked off onto a cache
server and then they can take their time downloading from the cache server.

I don't know...all I know is that I took my cache servers out of the loop a
while back because we were having performance problems with them and the
skycache feed...we had another T1 turned up and had plenty of bandwidth
anyway.  I just haven't gotten around to ordering more servers to handle the
extra load...but left them online even though no one was pointed towards
them.  Then the other day I noticed our UUNet T1 was maxed out incoming and
outgoing and got to investigating...I noticed the cache servers were pushing
and pulling a lot of traffic that they should have been..and when telnetted
in doing a netstat I saw hundreds of connections from japan, russia,
england, korea..etc...and they were all dialups at least according to the
reverse lookups...stuff like ppp12.blah blah...or dialup12.blah.blah...

I'm putting in some access lists thanks to Mark...and we'll see what
happens...I don't have much experience with squid, and thats the reason I
bought the cacheraqs...but looks like I'm going to have to learn more than I
had hoped. :)

Pete

> Why the hell would they do that?  Perhaps they get a really good route to
> you or something.
>
> > Can someone please tell me how to restrict client access to only those
> > clients from within my IP ranges?
>
> I'd put up a firewall, like the Cisco PIX.  You then should be able to
block
> it all out.  I'd have to play around with the CacheRaq a little more to
let
> you know how to block it out with the built in stuff.  I'll try to do that
> like tonight and let you know if I find anything.
>
> -k
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- Re: [cobalt-users] Hijacking of Cache Servers
  - From: Kris Dahl

Prev by Date: Re: [cobalt-users] untar and billing solution
Next by Date: Re: [cobalt-users] Hijacking of Cache Servers
Previous by thread: Re: [cobalt-users] Hijacking of Cache Servers
Next by thread: Re: [cobalt-users] Hijacking of Cache Servers

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index