Re: [squid-users] Flooding squid

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 10 Apr 2006 22:45:24 +0200

mĂ„n 2006-04-10 klockan 15:08 +0200 skrev MichaƂ Margula:
> Hello!
>
> I have some trouble with new kind of flood targeted at proxy server.
> One hosts creates thousands of new connections. Is there a way to
> protect against that at squid level? I would like to avoid doing it with
> netfilter, because it is hard to guess acceptable limit of connections
> (browsers tend to open many of them when viewing one page with many
> pictures, flash, java applets and so on).
>
> It is snippet from access.log.
>
>
> 1144674534.008 99296 A.B.C.D TCP_MISS/000 0 GET http://A.B.223.254/ -
> NONE/- -

Fairly normal when there is a station infected with a virus/worm..

Can only be combated with a combination of Squid access logs and
iptables, blacklisting stations making too many failed IP based
requests.

Combating these in Squid alone isn't very useful as they tend to just
bash Squid even harder if rejected by Squid alone.

A simple solution is a small daemon tailing the Squid access.log looking
for TCP_MISS/000 records with IP based URLs, and when seeing too many
from the same station within a minute or so automatically add an
iptables rule blacklisting this host.

Regards
Henrik

Received on Mon Apr 10 2006 - 14:45:30 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT