Re: [squid-users] default.ida worm

From: Robin Stevens <robin.stevens@dont-contact.us>
Date: Fri, 20 Jul 2001 16:07:46 +0100

On Fri, Jul 20, 2001 at 01:02:11PM +1200, Thomas Salmen wrote:
> Another one hit by the Code Red storm, huh...
>
> Putting them in an acl didn't seem to make a huge difference for us
> either - our Squids were still needing to process the connections, and
> getting so many of them that legitimate traffic was slowing right down.
> We ended up using ipchains to deny all requests from affected customers.
> But we only had 8 or so - you guys might have a few more...

We've found most affected machines to be sending a few hundred requests
out. However one or two have been much worse: one doing 1.4 million,
another seriously slowing everything with 46 million requests Sunday/Monday
(ouch!). This required blocks at the network hardware level to take the
load off squid...

-- 
--------------- Robin Stevens  <robin.stevens@oucs.ox.ac.uk> -----------------
Oxford University Computing Services ----------- Web: http://www.cynic.org.uk/
------- (+44)(0)1865: 273212 (work) 273275 (fax)  Mobile: 07776 235326 -------
Received on Fri Jul 20 2001 - 09:07:49 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:17 MST