On Thu, Aug 09, 2001 at 08:36:49PM -0500, Joe Cooper wrote:
> Luiz Lima wrote:
> > The most impressive thing to me, however, is that I'm talking about
> > 33.6kbps dial-up customers and all I need is ONE infected customer
> > online and 20 seconds of Code Red running on his computer to loose
> > Squid.
> I don't see how this could happen--are you running out of file
> descriptors or available ports? We have a number of clients running
> Squid, and seeing far more of these requests than you are, and are not
> being shutdown by it. One of our clients was getting about 200 CodeRed
> requests per minute from several hosts, and while Squid wasn't happy
> about it, it never failed.
Indeed - I've been quite impressed with just how much Squid *can* handle.
http://www2.merton.ox.ac.uk/~rejs/images/codered.gif shows the MRTG graphs
for our primary servers the first time we saw a code red host on the
network - sustaining over 300 req/sec per server over several hours, mainly
from a single infected host on a 100Mbit connection.
I wasn't in that day but those who were didn't notice any adverse affect on
web browsing and so the attack went unnoticed. What it does make a mess
of is the maximum simultaneous connections per server settings at our L4
switch - causing traffic to flip between the primary server pool and the
backup/overflow group.
Given that Code Red infected hosts try to open hundreds of simultaneous
connections, I'd agree that a file descriptor limit is likely to be Luiz's
problem - a dialup host is probably trying to establish several new
connections before an old one is sent an error message and closed.
-- --------------- Robin Stevens <robin.stevens@oucs.ox.ac.uk> ----------------- Oxford University Computing Services ----------- Web: http://www.cynic.org.uk/ ------- (+44)(0)1865: 273212 (work) 273275 (fax) Mobile: 07776 235326 -------Received on Fri Aug 10 2001 - 04:18:19 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:32 MST
