[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: VIRUS IN YOUR MAIL (W32/BugBear.A (Clam))

On Thu, Oct 17, 2002 at 08:57:01AM -0400, Jeff S Wheeler wrote:
> Is this true, or will a getsockname() performed on a TCP socket which
> was created as one endpoint of a connection which is being transparently
> proxied give the client's intended destination address?  I do not know.

My experience is that getsockname returns the new address which the
data is being redirectected to.

Once the tranparent proxy creates the real connection to the remote
host though, the remote host only sees the connection to the
proxy server, not the host that initiated the connection.

> > A transparent HTTP proxy relies on the server name HTTP1.1 request
> > field to determine what host the client really wanted to connect to.
> > (this has been tested with Pacific's transparent proxy).
> I do know that all HTTP/1.1 requests must contain a Host: header to be
> valid.  Even if you knew the destination IP address, if you did not have
> a Host: header you couldn't successfully complete an HTTP/1.1 request.

I have changed ISPs so can no longer check this now, but my experience
is that doing something like this works:

telnet www.microsoft.com.au 80       (or *any* IP address)
GET / HTTP/1.1
Host: www.monash.edu.au

will return the web page for www.monash.edu.au instead of

In fact if you leave out the Host: field, even for HTTP/1.0, the proxy
gets confused and doesn't know where you want to connect to.

Or, enter an invalid host name for the Host field, and you get a
squid proxy error that the DNS cannot be found. Which is a bit weird
considering no proxy's are used as far as the client is concerned.

(I first encountered this when trying to connect to a remote web server
which had no DNS entry, but required a certain Hosts: field. I thought
no problem, I will just create an /etc/hosts entry on my local computer.
Trouble is, this transparent proxy intercepted the request, tried to
look up the non-existant domain, and failed.)
Brian May <bam@snoopy.apana.org.au>

Reply to: