General discussion

Locked

Proxy server and web cacheing

By radiic ·
Hey all
I have a 2.0 proxy server between my internal net and my ISP. Well i put a box in-between the 2 with snort on it and found that proxy server is receiving tons of replies from the isp dns server. They show up as if the dns server was trying to runa portscan. After digging a little I found that MPS has integrated web cacheing. I know make the assumption that it is keeping track of all the webpages that everyone is going to and then periodically checks the ip against the dns server. Ifthis is right or wrong let me know.

The question is: is there anyway to control this feature. I havent come accross an option on the management console for this. My snort logs show that it does it only twice during the night 3 hour interval. Then it does it at 8:17, then 8:40 8:49,8:52 and then not til 12:24. I would really like it to only verify two or three times a day.

Thanks in advance.
Rad

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

In a perfect world.....

by FelixOrtiz In reply to Proxy server and web cach ...

In a perfect world MS would have thought of that feature, but they didn't. I had the same problem. I found that the only way to control it is to make sure that all your clients are using the WinSock Proxy not the Web proxy. The Web Proxy is the one that takes care of caching the webpages ahead of time. Once you have everyone running though Winsock proxy then you can use the AT command and a simple batch file to start & stop the web proxy service when you want it to cache.
Also take a peek at
http://proxyfaq.networkgods.com
they have what I belive to be _the_ ultimate document on MSP.

Carlos

Collapse -

Does it lessen if

by admin In reply to Proxy server and web cach ...

you change the "web proxy service properties" "caching" tab caching checkboxes to "fewer network access..." on both sections?

Collapse -

p.s. How do you like "Snort"

by admin In reply to Proxy server and web cach ...

I haven't used it yet.

Collapse -

I love snort

by radiic In reply to p.s. How do you like "Sno ...

I have used both Platforms W2k and Linux. Both have a learning curve to setup, but there are some very helpful listings at the sans.org site. Try it you'll like it

Collapse -

Out of curiousity?.....

by LordInfidel In reply to Proxy server and web cach ...

What ports is it scanning?

Standard DNS should be UDP/53.

If it is tcp/53?, then something is trying to do a zone transfer.

Are you using your own DNS server or are you using your ISP's?

Which way are the requests going. Is the ISP dns srvr initiating the syn request or is it the other way (proxy initiating syn packets).

Depending on how you have your proxy setup, (assuming you selected web-caching), The only times it should talk to the dns server is when it;
A: has a new request for a web page for a domain/page that it does not know about.

B: The TTL has expired for a page in cache and it needs to do a new query.

Now if the Syn/Syn-Ack are something else between your proxy and your isp dns. I would double check the ports it is trying to communicate over and close them off if need be.

You may want to send the logs over to your ISP and double check with them. I know on our end we have Connection LoadBalancers that will scan then net for latency so that it can decide on which circuit to send requests over. This is sometimes confused as a port scan.

Just some info.

Collapse -

I have since the post dug deeper

by radiic In reply to Out of curiousity?.....

They are UDP/53 requests responding to a reqeust from the proxy server. It seems that I might have forgot to tell Snort that my dns server resided at xxx.xxx.xxx.xxx in my snort.conf file.

Seems that there is a tab under the web proxy properties for cacheing. Although a bit confusing i must add.

Thanks for all the help>
Rad

Back to IT Employment Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums