> I assume you're blocking code red requests by URL matching,
> right?
I try to but since Code Red's requests are not 100% compliant it's is not
checked by the acls.
From what I've learned in the last days from research and this list, Squid
replies with NONE/411 and those requests are not checked because they are
not served anyway.
> Can you explain with more detail how Squid is brought to its
> knees? Do you run out of file descriptors, TCP ports, network
> mbufs?
I don't know. I'm not a Squid expert and, honestly, I've been running
2.3-STABLE1 from an RPM package. I've just compiled 2.4-STABLE1 but haven't
had the time to see if it fails in the same way. To keep running, I've
disabled redirection to Squid on my switch.
If you are interested in the behavior of 2.3-STABLE1, I can do the testing
for you. Just tell me how can I get to the info you need. All I have to to
do is turn on transparent proxy and wait for the first infected customer to
dial-in.
If you don't care about the behavior of 2.3-STABLE1, too bad but I'll only
have available time to install 2.4-STABLE1 on Monday. Since we're up
(wasting a lot of $$ on bandwitdh, but up), we had to decrease this incident
to resolve other pending issues. Then I'll be able to do whatever testing
you want - if it's vunerable in the same way at all.
It's your call.
--- Luiz Lima Image Link Internet http://www.imagelink.com.brReceived on Thu Aug 09 2001 - 18:53:33 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:31 MST