Re: Request acceleration Decision

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 7 Feb 2004 17:33:53 +0100 (CET)

On Sat, 7 Feb 2004, Sumit Pandya wrote:

> Dear Developers,
> In our ISP setup we are running squid-2.5.STABLE1 cache in transparent mode
> with "http_accel_with_proxy off". Since last few days our cache.log is
> growing with
> "proxy request denied in accel_only mode for xxx.xxx.xxx.xxx"

This is because you have "http_accel_with_proxy off" and someone is
sending you requests with a full URL.

> 2> We taken tcpdump for the "host xxx.xxx.xxx.xxx and port www" and we did
> replay those raw packet in our production machine with running squid in full
> debug mode. There we figured out that form of request was following
>
> GET http://www.instituto.com.br/attackDoS.php?ver=01&task=newzad&first=1
> HTTP/1.1
> Host: www.Gustavo.com

This is a Denial of Service worm trying to attack a website. I don't
remember which worm.

You need to have the offending client cleaned from this worm.

If you enable httpd_accel_with_proxy then you will get rid of the
warning, but you will also allow this worm to attach the requested web
site via your proxy which is probably not what you want.

And you SHOULD enable the recommended to_localhost deny rule.

> My proposal to overcome this situation is can this code be little
> modified and netfilter help can be taken for making decision about
> acceleration.

Such changes have already been done in Squid-3 to clearly separate
accelerated and proxied (including transparently intercepted) requests.

There is no plans for doing this in Squid-2.5.

> Does this extra getsockopt and one conditional setting of integer variable
> impact your performance? Henrik? From my technical point of view it is
> feasible as logs about "proxy access denied ..." is generating false
> information too. As this is not proxy request but it is accelerated and
> invalid request; Am I right?

The request is technically valid, but strictly speaking not something you
want to have forwarded due to it's dubious origin (client station infected
by a worm, trying to destroy Internet). In this case it is only good that
Squid barfs on the request so you notice there is a problem with this
client.

The "httpd_accel_with_proxy off" directive violates the HTTP
specifications and does not exists any longer in Squid-3.

Transparently intercepting client requests violates fundamental aspects
of the IP standard, but in some networks there unfortunately is no good
alternatives.

Regards
Henrik
Received on Sat Feb 07 2004 - 09:34:13 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:04 MST