mĂ„n 2006-04-10 klockan 15:08 +0200 skrev MichaĆ Margula:
> Hello!
>
> I have some trouble with new kind of flood targeted at proxy server.
> One hosts creates thousands of new connections. Is there a way to
> protect against that at squid level? I would like to avoid doing it with
> netfilter, because it is hard to guess acceptable limit of connections
> (browsers tend to open many of them when viewing one page with many
> pictures, flash, java applets and so on).
>
> It is snippet from access.log.
>
>
> 1144674534.008 99296 A.B.C.D TCP_MISS/000 0 GET http://A.B.223.254/ -
> NONE/- -
Fairly normal when there is a station infected with a virus/worm..
Can only be combated with a combination of Squid access logs and
iptables, blacklisting stations making too many failed IP based
requests.
Combating these in Squid alone isn't very useful as they tend to just
bash Squid even harder if rejected by Squid alone.
A simple solution is a small daemon tailing the Squid access.log looking
for TCP_MISS/000 records with IP based URLs, and when seeing too many
from the same station within a minute or so automatically add an
iptables rule blacklisting this host.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT