Re: SYN floods?

Jon Drukman wrote:

> First, the complaints were that we were flooding a bunch of identd
> requests. I rebuilt squid without the identd code. Now I am getting
> complaints about SYN floods. I can't make it happen and since I only get a
> complaint once every few days I'm assuming it's a transient problem. Does
> anybody know anything about this?

Squid may appear to SYN flood if a server refuses TCP connections. It is
not a SYN flood per se as a TCP handshake actually takes place but is
refused by the origin server. When a server refuses to accept a TCP
connection Squid rapidly retries the connection a couple of times (max
30) before giving up. During this Squid also cycles througth the known
IP addresses of the host.

This behaviour was introduced because of Microsoft servers sending TCP
Resets when they are overloaded.

The number of attempts will be limited to 10 if you set
maximum_single_addr_tries to 1 (recommended in most configurations..
these "single_addr_tries" is no longer needed and the implementation is
partially broken)

> Question 2: Since I'm running in accelerator-only mode, do I need the
> dnsservers at all? If not, how can I disable them?

Maybe, but Squid probably needs at least one to be happy.

> Question 3: I always get the "WARNING! Your cache is running out of
> filedescriptors" message even though I have allocated 16000+ descriptors to
> the process. Is that not enough?

Squid probaby does not know that it have that many filedescriptors
available. See the output in cache.log when Squid starts.

If you have changed the upper limit supported by your machine after you
build your squid, then you need to rebuild Squid to make the change
effective.

> Question 4: When I start squid, I get the following series of messages:
>
> 1999/06/24 17:46:31| realconf line 18: ident_lookup_access deny all
> 1999/06/24 17:46:31| aclParseAccessLine: ACL name 'all' not found.
[...]
> These are troubling because there are only 16 lines in the configuration file!

These are caused by internal defaults which assume that there is an ACL
named all defined in squid.conf.

Add the acl line
acl all src 0.0.0.0/0
at the top of your squid.conf and the warnings should go away.

You also need to have at least one http_access line giving access to
clients, or Squid will refuse all requests once you add that missing
definition of "all". To restore your current config, use
http_access allow all

(the builtin default is http_access deny all which was one of the failed
configuration directives).

--
Henrik Nordstrom
Spare time Squid hacker