[OPLINTECH] Web Filtering Crashing Internet

[Chad Morris]

I've been experiencing an odd issue with my web filtering firewall
pertaining to Chinese web sites and spam email. I have a ClearOS server in
bridge mode doing URL re-write filtering sitting in front of my main
firewall. The ClearOS server catches all web traffic leaving the network,
filters out any bad words, and enforces safe searches (Google, Bing, etc.).
And due to the large amount of past malicious activity, I've blocked most of
APNIC, RIPE, AFRNIC, and LACNIC IP addresses on my main firewall (MikroTik
RB2011UiAS-RM).

I've narrowed the issue down to a particular patron that has been visiting
web sites such as tw.yahoo.com, mail.com, and email.com. According to my
ClearOS logs, the web pages with Chinese characters generate a long URL
which crashes our web browsing -  except for the Patron viewing the web
pages. Once it crashes, I have to restart the ClearOS server and then it
works for about 20-30 minutes before it crashes again. I've contacted
ClearOS and they can't recreate the issue but suggested that I turn off
write caching - which I have but that doesn't help.

 

I want to allow the patron to view web sites in their foreign language, but
I also can't have the internet crash every time they come in to use a
computer. As far as email.com and mail.com, the patron's email account is
loaded with spam and they click on everything. I've seen them click on a
spam email that when opened, contain an endless redirect script that
eventually crashes the internet for everyone. The redirects go to a random
generated URL based in China. I don't know if the patron has caught on that
they are causing the issue and are purposely causing the internet to crash,
or if they are just click happy and actually enjoy reading malicious emails?
It's suspicious that they click on the spam email and minimize the window
while the redirect script runs in the background.   

 

The public computers are on the same subnet as the staff and they are locked
down heavily with group policy, Faronics WINSelect, Anti-Virus, and
DeepFreeze.  I've tried switching them to a different subnet but that
doesn't fix the issue.

 

I've concluded:

- My ClearOS setup doesn't play nice with web sites based in China, long
Chinese characters in the URL, email.com and mail.com. 

- The ClearOS server works fantastic with everything else. 

- The recommendation from ClearOS support doesn't work. 

- The issue happens with the particular patron only.

- We use OpenDNS to block web sites in addition to my IP range blocks on my
gateway

 

Is there anyone else out there that uses a Dansguardian/Squid based content
filter? If so, have you had issues like me?

 

Thank you,

Chad



--
Chad Morris

Technology Coordinator

Franklin-Springboro Public Library

44 E. Fourth Street

Franklin, OH 45005

Office:  (937) 746-2665 ext 116
Fax:     (937) 746-2847

Email:
<https://mail.oplin.org/webmail/src/compose.php?send_to=morrisch%40oplin.org
> morrisch at oplin.org
www.fspl.org

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20140929/7934c607/attachment.html>