(2nd attempt to send this, looks like it failed first attempt) Sorry to bring up such an old issue
Our squid boxes keep getting overwhelmed with requests from customers that have been infected with a worm. Infected systems keep trying to surf to random IP addresses. Looking through past comments about this, someone has suggested blocking requests to ip addresses. (think this is what was suggested) acl worm url_regex ^https?://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/.*$ http_access deny worm Others have said this is a firewall issue and should be dealt with at the router level. I know this is maybe not directly squid related, but if I'm having this issue, I'm sure other squid users are. Which approach would be best for dealing with this problem? Having squid deal with it, or blocking at the router level? And if at the router level Can anybody post a simple solution for blocking this on a cisco router. As an ISP, Something tells me that blocking htp requests to ip addresses is a bad thing to do. Its perfectly legit for our customers to surf to an ip address. (We'd just like it if it wasn't happening on mass from a worm causing a slowdown for other customers) Actually, one last question. What is really happening here? Is the worm making many requests, presumably to ip addresses that don't have web servers running on them, and squid is waiting for the replies to come back? (timing out) Is squid getting slow because it has reached some max number of open connections? (while waiting for these replies/timeouts)
