[squid-users] Host header forgery detected

Yuri Voinov yvoinov at gmail.com
Tue Jan 27 09:22:55 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Oh, shi......

It can't be on proxy host or other infrastructure. It can be on these
client......

Let's check.

27.01.2015 10:41, Amos Jeffries пишет:
> On 27/01/2015 11:13 a.m., Yuri Voinov wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> > Hi gents,
>
> > who knows - what does it mean below?
>
> > 2015/01/27 04:11:42.289 kid1| SECURITY ALERT: Host header forgery
> > detected on local=192.168.200.3:80 remote=192.168.200.5:9909 FD 18
> > flags=33 (intercepted port does not match 443) 2015/01/27
> > 04:11:42.289 kid1| SECURITY ALERT: By user agent: 2015/01/27
> > 04:11:42.289 kid1| SECURITY ALERT: on URL:
> > stnd-lueg.crsi.symantec.com:443 2015/01/27 04:11:42.289 kid1|
> > abandoning local=192.168.200.3:80 remote=192.168.200.5:9909 FD 18
> > flags=33
>
>
> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
>
>
> Notice how the origin-server request being intercepted on port *80*
> says its on port *443*.
>
> This is either one of the actual attacks the forgery protection was
> put in place to prevent (yeas they do happen). Or you have a NAT
> somewhere mapping port 443 onto port 80 before it gets to the proxy
> machine.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUx1juAAoJENNXIZxhPexGD/4IAKWWJ7Uf29cxIOCwOcMZwkYv
vu/h2FV/hf7W7ZK2XTAr2a2kcCR4YKamlHcftd1/jT9EMLCRhj87xicLoLSqjyJJ
ONAPP6OOy7ib8cNGyEpUhoYL9pui32iwv/lLFQZro7c1cvuJZFheg3RMqXMG4q7l
XAWFiKPsTl8vZ5pWQIrmkeuqBoee6XHZmBErGY/cIcEcn0bAlxMQLgyC1wNg136l
cqZxk5f55SZ03fy+pivjUgy16vWJx5pJyDMJIJh79x7hbE9ZilTDRGnf81+Sie5s
80QmQh17pWMmT9o7CDFG6FdOcDtpn386D7OECrJZYCiorKIctRevF+I/sCQfj3c=
=IQmE
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150127/9e9183c1/attachment.html>


More information about the squid-users mailing list