Re: [squid-users] problem with urlpath_regex

From: Luiz Lima <llima@dont-contact.us>
Date: Wed, 8 Aug 2001 08:46:17 -0300

> but today
> I discovered non-blocked entries (with code NONE/411) in
> my access.log .
> 997213182.091 57 INFECTED_MACHINE_IP NONE/411
>1559 GET http://217.106.234.17/default.ida? - NONE/- -
> what can be the reason of this?

I'm having the same problem with my 2.3-STABLE1. I get these hits via
transparent proxy and after a few dozen my squid hangs. You just wait a few
minutes and it starts servicing again. But then, somone infected hits it
again, trying to reach other victims, and it stops again... and again... and
again. For as long as there are no requests from the worm coming through the
server, it works.

I'm not talking about hundreds of thousands of ultra-fast connections. All I
need is one dial-up customer on a 33.600bps analog line with a Windows 2000
infected IIS5 and I'm done with Squid. Yesterday we debuged the problem for
the first time and it took 10 hours for the customer dial-in. Squid ran fine
for this time with empty output from a "tail -f access.log | grep
"default\.ida". At the time this command began producing output from a
33.6kbps dial-up customer, it took 10 seconds to bring Squid to its knees.

Yesterday I compiled 2.4-STABLE1 in the hope that it would help me. We also
run RedHat 6.2. I'm planning on doing the upgrade today. But your report
brought tears to my eyes... I wish there was a way to filter these out
before Squid tries to serve them - even with NONE/411.

We had just installed an Intel switch 550T to manage transparent proxy and
now it's all shutdown because of this crap... No transparent proxy = no
redirection through Squid from the worm request = no problems...

Any suggestions?

---
Luiz Lima
Image Link Internet
http://www.imagelink.com.br
Received on Wed Aug 08 2001 - 05:46:24 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:30 MST