[squid-users] source spoofing without tproxy?

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 13 09:49:15 UTC 2017 

On 13/06/17 19:34, Matus UHLAR - fantomas wrote:
>> On 13/06/17 13:48, David Kewley wrote:
>>> I want my clients to explicitly address squid as a proxy (not use 
>>> tproxy), but have squid spoof the source addresses in the forwarded 
>>> connection, so that further hops know the original source address 
>>> from the IPv4 headers.
>>>
>>> I could find no indication that anyone else has done this, and when 
>>> I tried various things, I could not get it working.
>>>
>>> Is this possible today? If not, is it worth considering as a future 
>>> feature? Or am I overlooking a reason that this cannot work even in 
>>> theory?
>
> On 13.06.17 16:50, Amos Jeffries wrote:
>> It is not possible.
>>
>> No, it is a terrible idea.
>>
>> It is prohibited by the OS kernel as part of the anti-malware 
>> protections, in this case to prevent the local machine being used to 
>> attack its surrounding network nodes. And by Squid to make it harder 
>> to use Squid as viral payload and damage the brand reputation.
>
> For me to fully understand (I was curious about this some time ago), 
> it is
> allowed to fake clients' IPs when intercepting their connections, but not
> when connections are done to proxy server directly?

Yes.

> What's the difference that makes it more terrible than spoofing IPs of
> intercepted connections?

If you take a close look at the packets you should see the incoming ones 
as (client-IP:server-IP:server-port) and outgoing from Squid has 
identical (client-IP:server-IP:server-port). Only the src-port differs.
  - As far as the rest of the network is concerned Squid is acting as if 
it were a TCP router. The kernel is also configured as a router in order 
to do TPROXY, so the whole environment except for the proxy and a few 
rules in the networking stack is setup for routing.


By comparison, without TPROXY the incoming packets have 
(client-IP:client-port:squid-IP:squid-port) and the server connection 
packets would have (client-IP:random-port:server-IP:server-port). The 
machine is setup as a server host, not a router. Which is where Ingress 
and Egress Filtering both stomp on it hard for using other machines IPs.


PS. if you spoof (with or without TPROXY) and have not implemented 
BCP-38 ingress filtering (AND its equivalent egress filtering) on your 
network then you are part of the DoS attack system, guaranteed, whether 
you know it or not. Very likely you will _not_ be aware of it because 
all the information you can log or gather from TCP is spoofed (duh!) and 
appears to be your own innocent clients doing things that clients tend 
to do (NTP lookups? DNS lookups? sending email? using HTTP? sure no harm 
there ... unless it wasn't them).

Amos

More information about the squid-users mailing list