acl msurl url_regex ^http://www\.microsoft\.com acl msurlpath urlpath_regex /$ #no requested object acl msurlbro browser .* #any user agent
http_access allow msurl msurlbro #allow user whose browser sends user agent header http_access deny msurl msurlpath #deny those who does'nt deny_info TCP_RESET msurl msurlpath #do'nt bother sending a reply to the virus to ensure that everything works, check your access log and u should seee 1076806934.151 451 202.133.44.214 TCP_DENIED 0 GET http://www.microsoft.com/ - NONE/- - Rgds HK ----- Original Message ----- From: "Danish Khan" <[EMAIL PROTECTED]> To: "'Hwee Khoon, Neo'" <[EMAIL PROTECTED]>; "'Duane Wessels'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, February 16, 2004 9:52 PM Subject: RE: [squid-users] is it a DOS attack ?? > Thx for the reply. In this scenario how I blocked those requests on my Proxy > which are carrying that doom virus. i.e how I trace them. > > Thx > Regards, > Danish Khan > > -----Original Message----- > From: Hwee Khoon, Neo [mailto:[EMAIL PROTECTED] > Sent: Monday, February 16, 2004 1:04 PM > To: [EMAIL PROTECTED]; 'Duane Wessels' > Cc: [EMAIL PROTECTED] > Subject: Re: [squid-users] is it a DOS attack ?? > > try and access www.microsoft.com from your squid server, if you ca'nt get > thru, it means microsoft has blocked you out. > > if you are getting alot of request to www.microsoft.com without any > user-agent header and request object, some machines using your proxy could > have been infected with mydoom.c virus and tries to flood the website with > requests > > try and blocked these request out by denying request that does not have any > user-agent header inside squid.conf > > rgds > hk > > > ----- Original Message ----- > From: "Danish Khan" <[EMAIL PROTECTED]> > To: "'Duane Wessels'" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Sunday, February 15, 2004 12:35 PM > Subject: RE: [squid-users] is it a DOS attack ?? > > > > Yea I can saw the forwarding loop thing in cache.log.. but plz tell me in > > detail that how I overcome that. > > > > Regards > > > > Danish Khan > > > > -----Original Message----- > > From: Duane Wessels [mailto:[EMAIL PROTECTED] > > Sent: Sunday, February 15, 2004 5:51 AM > > To: Danish Khan > > Cc: [EMAIL PROTECTED] > > Subject: RE: [squid-users] is it a DOS attack ?? > > > > > > > > > > On Sat, 14 Feb 2004, Danish Khan wrote: > > > > > I have configured my box with 8192 FD but still I got warnings of FD's > and > > > tooo many comm.(23) Port error WHY plz update :( > > > > > > Danish > > > > > > -----Original Message----- > > > From: Mahmood Ahmed [mailto:[EMAIL PROTECTED] > > > Sent: Saturday, February 14, 2004 10:24 PM > > > To: [EMAIL PROTECTED] > > > Subject: [squid-users] is it a DOS attack ?? > > > > > > Hello List! > > > > > > I have been facing this strange problem for last 3 days. I hope some one > > > here will be able to shed light on it. I dont know wheather its a bug or > a > > > virus or a DOS attack but it is hitting my squid box very hard. in my > > access > > > > > > log i am seeing a lot of these. > > > > > > 1076806934.151 451 202.133.44.214 TCP_MISS/000 0 GET > > > http://www.microsoft.com/ - NONE/- - > > > 1076806934.163 461 202.133.44.214 TCP_MISS/000 0 GET > > > > This looks to me like a forwarding loop. > > > > Are you using HTTP interception? > > > > Duane W. > > > >
