This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP Proxy CONNECT Loop DoS?

Running a Nessus vulnerability scan on my network, it detects the IP of my Sophos UTM having one:

MEDIUM: HTTP Proxy CONNECT Loop DoS

Description

The proxy allows the users to perform repeated CONNECT requests to itself.

This allow anybody to saturate the proxy CPU, memory or file descriptors.

** Note that if the proxy limits the number of connections
** from a single IP (e.g. acl maxconn with Squid), it is
** protected against saturation and you may ignore this alert.

Solution

Reconfigure your proxy so that it refuses CONNECT requests to itself.

Port 8080 / tcp / http_proxy

Any ideas how I fix this?

Version 9.404-5

Thanks,

James.

This thread was automatically locked due to age.

Parents

0 BAlfson over 9 years ago

James, have you selected 'Detect HTTP loopback' on the 'Misc' tab of 'Filtering Options'? Google site:community.sophos.com/products/unified-threat-management/f "Detect HTTP loopback" - Any luck with that?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 jlbrown over 9 years ago in reply to BAlfson

Hi Bob.

Yes, 'Detect HTTP loopback' is on.

James.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago in reply to jlbrown

Then I wonder if the Nessus scan didn't return a false-positive. Hopefully, former Astaro guru Jack Daniel will chime in. Jack now works for Tenable, but still appears here occasionally.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Jack Daniel over 8 years ago in reply to BAlfson

OK, I may be slow to respond, but eventually...

Since UTM scans are only "external" (non-credentialed), we have to make some assumptions based on responses. As Bob said, the loopback prevention setting should protect you- but give me another day or two to play in my lab and see what I find.

-jd
Cancel
Vote Up 0 Vote Down

Cancel
0 Jack Daniel over 8 years ago in reply to Jack Daniel

I've been unable to duplicate this in my labs against a few versions of UTM.

If the problem continues, or returns, please reach out to me, This applies to any Nessus (or any other Tenable products) findings, I'm happy to bridge the Sophos and Tenable communities.

Cheers

-jd
Cancel
Vote Up 0 Vote Down

Cancel
0 jlbrown over 8 years ago in reply to Jack Daniel

Hi Jack - Thanks for your investigations.

Just tried it again, and got the same vulnerability warning. This time with UTM 9.405-5, and Nessus 6.8.1.

Plugin Details

Severity: Medium
ID: 17154
Version: $Revision: 1.12 $
Type: remote
Family: Web Servers
Published: 2005/02/20
Modified: 2013/01/25

James.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jlbrown over 8 years ago in reply to Jack Daniel

Hi Jack - Thanks for your investigations.

Just tried it again, and got the same vulnerability warning. This time with UTM 9.405-5, and Nessus 6.8.1.

Plugin Details

Severity: Medium
ID: 17154
Version: $Revision: 1.12 $
Type: remote
Family: Web Servers
Published: 2005/02/20
Modified: 2013/01/25

James.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Jack Daniel over 8 years ago in reply to jlbrown

I'm running some more tests, if I can't duplicate the issue I may need to connect you with Tenable's support team to get to the bottom of it.

-jd
Cancel
Vote Up 0 Vote Down

Cancel
0 Jack Daniel over 8 years ago in reply to jlbrown

Hi James, still unable to duplicate in my labs, please check DM and let's get this figured out.

-jd
Cancel
Vote Up 0 Vote Down

Cancel

HTTP Proxy CONNECT Loop DoS?

Plugin Details

Plugin Details