Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 21715 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP Proxy CONNECT Loop DoS?

jlbrown

Running a Nessus vulnerability scan on my network, it detects the IP of my Sophos UTM having one:

MEDIUM: HTTP Proxy CONNECT Loop DoS

Description

The proxy allows the users to perform repeated CONNECT requests to itself.

This allow anybody to saturate the proxy CPU, memory or file descriptors.

** Note that if the proxy limits the number of connections
** from a single IP (e.g. acl maxconn with Squid), it is
** protected against saturation and you may ignore this alert.

Solution

Reconfigure your proxy so that it refuses CONNECT requests to itself.

Port   8080 / tcp / http_proxy    

Any ideas how I fix this?

Version 9.404-5

Thanks,

James.



This thread was automatically locked due to age.
  • 0

    James, have you selected 'Detect HTTP loopback' on the 'Misc' tab of 'Filtering Options'?  Google site:community.sophos.com/products/unified-threat-management/f "Detect HTTP loopback" - Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob.

    Yes, 'Detect HTTP loopback' is on.

    James.

  • 0 in reply to jlbrown

    Then I wonder if the Nessus scan didn't return a false-positive.  Hopefully, former Astaro guru Jack Daniel will chime in.  Jack now works for Tenable, but still appears here occasionally.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    OK, I may be slow to respond, but eventually...

    Since UTM scans are only "external" (non-credentialed), we have to make some assumptions based on responses.  As Bob said, the loopback prevention setting should protect you- but give me another day or two to play in my lab and see what I find.

    -jd

  • 0 in reply to Jack Daniel

    I've been unable to duplicate this in my labs against a few versions of UTM.

    If the problem continues, or returns, please reach out to me,  This applies to any Nessus (or any other Tenable products) findings, I'm happy to bridge the Sophos and Tenable communities.

    Cheers

    -jd

  • 0 in reply to Jack Daniel

    Hi Jack - Thanks for your investigations.

    Just tried it again, and got the same vulnerability warning. This time with UTM 9.405-5, and Nessus 6.8.1.

    Plugin Details
    Severity:    Medium
    ID:     17154
    Version:    $Revision: 1.12 $
    Type:         remote
    Family:       Web Servers
    Published:  2005/02/20
    Modified:    2013/01/25
    James.
  • 0 in reply to jlbrown

    I'm running some more tests, if I can't duplicate the issue I may need to connect you with Tenable's support team to get to the bottom of it.

    -jd

  • 0 in reply to jlbrown

    Hi James, still unable to duplicate in my labs, please check DM and let's get this figured out.

    -jd

  • 0

    I know this is an old post, but did you ever get a resolution?


    I'm getting the same result, but only on my Additional IP (when setting an Additional IP address on the internal interface).  I also have HTTP Proxy Loop Detection enabled, so I'm not getting the warning on that IP, but only on my Additional/Secondary IP. 

    I tried creating a firewall rule to block proxy connections to my secondary IP, but it didn't work.

    At this point, it seems like a proxy loop DoS attack is possible if someone has a Secondary IP assigned to the same interface used for proxy connections.

    Thanks.

Unfiltered HTML