Re: [squid-users] code red is making horrible on our network

From: Joe Cooper <joe@dont-contact.us>
Date: Thu, 09 Aug 2001 20:36:49 -0500

Luiz Lima wrote:

>>I do not think you can solve the problem by modifying Squid.
>>If I get you right, you are under a distributed denial of service
>>attack (essentially) originated from your own customers.
>>
>
> Well, the attack is not ON me. It's through me... When Code Red tries to
> reach other people's port 80, transparent proxy catches it and redirects the
> calls through Squid. When it gets flooded, it goes down. When things
> time-out, it comes back up (few minutes) but just until it begins to be
> flooded again.

I think you've missed the point. The attack /is/ on you. Just because
it's not intended to be hitting you, doesn't mean that it isn't. Your
problem is the definition of a DDoS attack.

> The most impressive thing to me, however, is that I'm talking about 33.6kbps
> dial-up customers and all I need is ONE infected customer online and 20
> seconds of Code Red running on his computer to loose Squid.

I don't see how this could happen--are you running out of file
descriptors or available ports? We have a number of clients running
Squid, and seeing far more of these requests than you are, and are not
being shutdown by it. One of our clients was getting about 200 CodeRed
requests per minute from several hosts, and while Squid wasn't happy
about it, it never failed.

>>You can hack your way out by auto-parsing Squid access log,
>>auto-extracting IP addresses of affected customers, and auto-
>>building a "block" or, better, "do-not-redirect-to-Squid" IP list
>>for your router...
>>
>
> While it looks ugly, it's not impossible..... Good suggestion. I'll try
> other stuff first but it's a reasonable last resort. Thanks.

There is no other stuff. If you want the requests to stop hitting your
Squid it has to be fixed at the network layer...Squid will process it
one way or another (either accept the request or deny it) as long as
those packets are being redirected to Squid.

But I think fixing the reason your Squid is so flimsy is probably the
solution you need here. Raising file descriptors and available ports
should do it.
                                   --
                      Joe Cooper <joe@swelltech.com>
                  Affordable Web Caching Proxy Appliances
                         http://www.swelltech.com
Received on Thu Aug 09 2001 - 19:30:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:32 MST