On Thu, 19 Feb 2004, Brad Groshok wrote: > Looking through past comments about this, someone has suggested blocking > requests to ip addresses. > (think this is what was suggested) > > acl worm url_regex ^https?://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/.*$ > http_access deny worm
This should work, but will also block users from accessing such pages. > Others have said this is a firewall issue and should be dealt with at the > router level. This is best, but hard to automate. > Which approach would be best for dealing with this problem? > Having squid deal with it, or blocking at the router level? > > And if at the router level > Can anybody post a simple solution for blocking this on a cisco router. It does not need to be in the router. Almost all OS:es where Squid runs has firewalling capabilities allowing you to install filters like these. Doing it on the proxy server makes like a lot easier, as you can then have a small program with monitors the proxy access log for dubious activity and blocks the IP addresses generatign such traffic. > Actually, one last question. What is really happening here? > Is the worm making many requests, presumably to ip addresses that don't > have web servers running on them, and squid is waiting for the replies to > come back? (timing out) If you see a lot of requests for IP addresses or certain web site from a few clients, where a lot is in proportion to the amount of normal traffic then something hairy is going on at those clients, usually a worm. > Is squid getting slow because it has reached some max number of open > connections? (while waiting for these replies/timeouts) Squid performance degrades if it needs to keep very many connections, and gets very poor if it runs out of filedescriptors (see cache.log for warnings about this) Configuration directives which helps somewhat is (in priority order) half_closed_clients off client_persistent_connections off server_persistent_connections off Regards Henrik
