Re: [squid-users] Bug 2973 - Memory leak when handling pathless http requests
hmm.. this bug could be the reason for the situation I described in
http://www.mail-archive.com/squid-users@squid-cache.org/msg73257.html
On Fri, Jul 2, 2010 at 1:57 PM, Richard Wall wrote:
> I just filed a new bug and wondered if anyone here had seen a similar
> problem or had any suggestions about how to track down the possible
> memory leak.
>
> * http://bugs.squid-cache.org/show_bug.cgi?id=2973
>
> There seems to be quite a bad memory leak in the way Squid handles HTTP
> requests which do not contain a path. For example, one of our customers Squid
> servers, deployed in transparent mode, is receiving many thousands of such
> requests, presumably some sort of DOS attack on the named web server.
>
> {{{
> GET HTTP/1.1
> Host: aferist.su
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2)
> Gecko/20100115 Firefox/3.6b1 (de) (TL-FF) (.NET CLR 3.5.30729)
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: Keep-Alive
> }}}
>
> Squid logs these as TCP_DENIED/400
> {{{
> 1278006100.745 0 1.2.3.4 TCP_DENIED/400 870 GET NONE:// - NONE/-
> text/html
> }}}
>
> When the attack starts, we observe a rapid increase in the Squid resident
> memory size until eventually Squid crashes.
>
> -RichardW.
>
Re: [squid-users] Bug 2973 - Memory leak when handling pathless http requests
Amos Jeffries wrote: Richard Wall wrote: I just filed a new bug and wondered if anyone here had seen a similar problem or had any suggestions about how to track down the possible memory leak. * http://bugs.squid-cache.org/show_bug.cgi?id=2973 There seems to be quite a bad memory leak in the way Squid handles HTTP requests which do not contain a path. For example, one of our customers Squid servers, deployed in transparent mode, is receiving many thousands of such requests, presumably some sort of DOS attack on the named web server. Well, yes could have uncovered a successful DoS attack against Squid. If you are right this may be a very serious bug, or maybe just a rarely working but fatal attack. I've pinged Henrik on IRC. If you have any further details or replication on this please use the squid-b...@squid-cache.org email address instead of the public bugzilla. At least until we have had more of a chance to verify the risk level and find a fix. Thank you. Amos For the record: This has been verified as a Squid-2 specific problem. No security alert has been made. Squid-2 patch is available at http://www.squid-cache.org/Versions/v2/2.HEAD/changesets/12696.patch. Squid-3 is unaffected. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.5
Re: [squid-users] Bug 2973 - Memory leak when handling pathless http requests
Richard Wall wrote: I just filed a new bug and wondered if anyone here had seen a similar problem or had any suggestions about how to track down the possible memory leak. * http://bugs.squid-cache.org/show_bug.cgi?id=2973 There seems to be quite a bad memory leak in the way Squid handles HTTP requests which do not contain a path. For example, one of our customers Squid servers, deployed in transparent mode, is receiving many thousands of such requests, presumably some sort of DOS attack on the named web server. Well, yes could have uncovered a successful DoS attack against Squid. If you are right this may be a very serious bug, or maybe just a rarely working but fatal attack. I've pinged Henrik on IRC. If you have any further details or replication on this please use the squid-b...@squid-cache.org email address instead of the public bugzilla. At least until we have had more of a chance to verify the risk level and find a fix. Thank you. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4
[squid-users] Bug 2973 - Memory leak when handling pathless http requests
I just filed a new bug and wondered if anyone here had seen a similar
problem or had any suggestions about how to track down the possible
memory leak.
* http://bugs.squid-cache.org/show_bug.cgi?id=2973
There seems to be quite a bad memory leak in the way Squid handles HTTP
requests which do not contain a path. For example, one of our customers Squid
servers, deployed in transparent mode, is receiving many thousands of such
requests, presumably some sort of DOS attack on the named web server.
{{{
GET HTTP/1.1
Host: aferist.su
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2)
Gecko/20100115 Firefox/3.6b1 (de) (TL-FF) (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: Keep-Alive
}}}
Squid logs these as TCP_DENIED/400
{{{
1278006100.745 0 1.2.3.4 TCP_DENIED/400 870 GET NONE:// - NONE/- text/html
}}}
When the attack starts, we observe a rapid increase in the Squid resident
memory size until eventually Squid crashes.
-RichardW.
