[squid-users] host header forgery false positives

Dan Charlesworth dan at getbusi.com
Mon Feb 15 03:20:02 UTC 2016 

Did a bug end getting filed for this?

I can probably provide some ALL,9 logs but I don’t understand the problem well enough to write up a decent report I don’t think.

> On 12 Jan 2016, at 12:40 PM, Jason Haar <Jason_Haar at trimble.com> wrote:
> 
> Hi there
> 
> I am finding squid-3.5.13 is false positive-ing on ssl-bump way too
> often. I'm just using "peek-and-splice" on intercepted port 443 to
> create better squid logfiles (ie I'm not actually bump-ing) but that
> enables enough of the code to cause the Host forgery code to kick in -
> but it doesn't work well in a real network
> 
> As you can see below, here's a handful of sites that we're seeing this
> trigger on, and as it's my home network I can guarantee there's no odd
> DNS setups or forgery going on. This is just real-world websites doing
> what they do (ie are totally outside our control or influence)
> 
> I don't know how the forgery-checking code works, but I guess what's
> happened is the DNS lookups the squid server does doesn't contain the
> same IP addresses the client resolved the same DNS name to. I must say
> that is odd because all our home computers use the squid server as their
> DNS server - just as the squid service does - so there shouldn't be any
> such conflict - but I imagine caching could be to blame (maybe the
> clients cache old values longer/shorter timeframes than squid does).
> 
> This is a bit of a show-stopper to ever using bump: having perfectly
> good websites being unavailable really isn't an option (in the case of
> "peek-and-splice" over intercepted they seem to hang forever when this
> error occurs). Perhaps an option to change it's behaviour would be
> better? eg enable/disable and maybe "ignore client and use the IP
> addresses squid thinks are best" could work?
> 
> 
> Jason
> 
> 
> 2016/01/12 06:04:10.303 kid1| SECURITY ALERT: Host header forgery
> detected on local=121.254.166.35:443 remote=192.168.0.8:55203 FD 95
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 06:04:10.303 kid1| SECURITY ALERT: on URL: nydus.battle.net:443
> 2016/01/12 06:11:47.146 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.231.112.120:443 remote=192.168.0.8:56072 FD 273
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 06:11:47.146 kid1| SECURITY ALERT: on URL:
> redditstatic.s3.amazonaws.com:443
> 2016/01/12 06:14:24.125 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.231.2.145:443 remote=192.168.0.8:56304 FD 286
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 06:14:24.125 kid1| SECURITY ALERT: on URL:
> adzerk-www.s3.amazonaws.com:443
> 2016/01/12 06:14:24.125 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.231.2.145:443 remote=192.168.0.8:56305 FD 287
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 06:14:24.125 kid1| SECURITY ALERT: on URL:
> adzerk-www.s3.amazonaws.com:443
> 2016/01/12 06:37:52.737 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.231.114.114:443 remote=192.168.0.8:58411 FD 309
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 06:37:52.737 kid1| SECURITY ALERT: on URL:
> redditstatic.s3.amazonaws.com:443
> 2016/01/12 06:37:57.127 kid1| SECURITY ALERT: Host header forgery
> detected on local=23.21.91.58:443 remote=192.168.0.8:58421 FD 298
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 06:37:57.127 kid1| SECURITY ALERT: on URL:
> pixel.redditmedia.com:443
> 2016/01/12 06:37:58.158 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.231.49.32:443 remote=192.168.0.8:58422 FD 299
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 06:37:58.158 kid1| SECURITY ALERT: on URL:
> redditstatic.s3.amazonaws.com:443
> 2016/01/12 07:59:46.480 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.231.82.178:443 remote=192.168.0.8:64203 FD 17
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 07:59:46.480 kid1| SECURITY ALERT: on URL:
> redditstatic.s3.amazonaws.com:443
> 2016/01/12 10:42:07.376 kid1| SECURITY ALERT: Host header forgery
> detected on local=192.30.252.129:443 remote=192.168.0.7:50212 FD 13
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 10:42:07.376 kid1| SECURITY ALERT: on URL: github.com:443
> 2016/01/12 10:49:52.696 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.231.13.169:443 remote=192.168.0.7:40358 FD 21
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 10:49:52.696 kid1| SECURITY ALERT: on URL:
> adzerk-www.s3.amazonaws.com:443
> 2016/01/12 12:19:00.374 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.149.175.172:443 remote=192.168.0.7:57686 FD 53
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 12:19:00.374 kid1| SECURITY ALERT: on URL:
> shavar.services.mozilla.com:443
> 2016/01/12 12:38:33.666 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.231.114.60:443 remote=192.168.0.7:60694 FD 240
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 12:38:33.666 kid1| SECURITY ALERT: on URL: s3.amazonaws.com:443
> 2016/01/12 12:45:24.356 kid1| SECURITY ALERT: Host header forgery
> detected on local=52.35.143.137:443 remote=192.168.0.7:53313 FD 54
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 12:45:24.356 kid1| SECURITY ALERT: on URL:
> events.redditmedia.com:443
> 2016/01/12 12:45:30.568 kid1| SECURITY ALERT: Host header forgery
> detected on local=54.204.8.186:443 remote=192.168.0.7:44144 FD 237
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 12:45:30.568 kid1| SECURITY ALERT: on URL:
> engine.a.redditmedia.com:443
> 2016/01/12 12:49:10.490 kid1| SECURITY ALERT: Host header forgery
> detected on local=192.30.252.128:443 remote=192.168.0.7:36340 FD 79
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 12:49:10.490 kid1| SECURITY ALERT: on URL: github.com:443
> 2016/01/12 12:49:21.162 kid1| SECURITY ALERT: Host header forgery
> detected on local=192.30.252.127:443 remote=192.168.0.7:41264 FD 250
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 12:49:21.162 kid1| SECURITY ALERT: on URL: api.github.com:443
> 2016/01/12 12:49:51.399 kid1| SECURITY ALERT: Host header forgery
> detected on local=192.30.252.129:443 remote=192.168.0.7:50925 FD 203
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 12:49:51.399 kid1| SECURITY ALERT: on URL: github.com:443
> 2016/01/12 13:03:57.040 kid1| SECURITY ALERT: Host header forgery
> detected on local=192.30.252.92:443 remote=192.168.0.7:46645 FD 291
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 13:03:57.040 kid1| SECURITY ALERT: on URL: live.github.com:443
> 2016/01/12 13:03:59.200 kid1| SECURITY ALERT: Host header forgery
> detected on local=192.30.252.92:443 remote=192.168.0.7:46647 FD 275
> flags=33 (local IP does not match any domain IP)
> 2016/01/12 13:03:59.200 kid1| SECURITY ALERT: on URL: live.github.com:443
> 
> -- 
> Cheers
> 
> Jason Haar
> Corporate Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list