This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP Proxy CONNECT Loop DoS?

Running a Nessus vulnerability scan on my network, it detects the IP of my Sophos UTM having one:

MEDIUM: HTTP Proxy CONNECT Loop DoS

Description

The proxy allows the users to perform repeated CONNECT requests to itself.

This allow anybody to saturate the proxy CPU, memory or file descriptors.

** Note that if the proxy limits the number of connections
** from a single IP (e.g. acl maxconn with Squid), it is
** protected against saturation and you may ignore this alert.

Solution

Reconfigure your proxy so that it refuses CONNECT requests to itself.

Port   8080 / tcp / http_proxy    

Any ideas how I fix this?

Version 9.404-5

Thanks,

James.



This thread was automatically locked due to age.
Parents
  • James, have you selected 'Detect HTTP loopback' on the 'Misc' tab of 'Filtering Options'?  Google site:community.sophos.com/products/unified-threat-management/f "Detect HTTP loopback" - Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob.

    Yes, 'Detect HTTP loopback' is on.

    James.

  • Then I wonder if the Nessus scan didn't return a false-positive.  Hopefully, former Astaro guru Jack Daniel will chime in.  Jack now works for Tenable, but still appears here occasionally.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • OK, I may be slow to respond, but eventually...

    Since UTM scans are only "external" (non-credentialed), we have to make some assumptions based on responses.  As Bob said, the loopback prevention setting should protect you- but give me another day or two to play in my lab and see what I find.

    -jd

  • I've been unable to duplicate this in my labs against a few versions of UTM.

    If the problem continues, or returns, please reach out to me,  This applies to any Nessus (or any other Tenable products) findings, I'm happy to bridge the Sophos and Tenable communities.

    Cheers

    -jd

  • Hi Jack - Thanks for your investigations.

    Just tried it again, and got the same vulnerability warning. This time with UTM 9.405-5, and Nessus 6.8.1.

    Plugin Details
    Severity:    Medium
    ID:     17154
    Version:    $Revision: 1.12 $
    Type:         remote
    Family:       Web Servers
    Published:  2005/02/20
    Modified:    2013/01/25
    James.
Reply
  • Hi Jack - Thanks for your investigations.

    Just tried it again, and got the same vulnerability warning. This time with UTM 9.405-5, and Nessus 6.8.1.

    Plugin Details
    Severity:    Medium
    ID:     17154
    Version:    $Revision: 1.12 $
    Type:         remote
    Family:       Web Servers
    Published:  2005/02/20
    Modified:    2013/01/25
    James.
Children