Re: [squid-users] code red is making horrible on our network

From: Duane Wessels <wessels@dont-contact.us>
Date: Fri, 10 Aug 2001 15:41:52 -0600 (MDT)

On Thu, 9 Aug 2001, Luiz Lima wrote:

> > I assume you're blocking code red requests by URL matching,
> > right?
>
> I try to but since Code Red's requests are not 100% compliant it's is not
> checked by the acls.
>
> >From what I've learned in the last days from research and this list, Squid
> replies with NONE/411 and those requests are not checked because they are
> not served anyway.

The NONE/411 reply may be due to a Squid bug. But in this case it is
working to your benefit. Squid sends the NONE/411 reply very quickly
and should close the connection. Thus, the worm requests shouldn't
tie up very many resources in your Squid process.

>
> > Can you explain with more detail how Squid is brought to its
> > knees? Do you run out of file descriptors, TCP ports, network
> > mbufs?
>
> I don't know. I'm not a Squid expert and, honestly, I've been running
> 2.3-STABLE1 from an RPM package. I've just compiled 2.4-STABLE1 but haven't
> had the time to see if it fails in the same way. To keep running, I've
> disabled redirection to Squid on my switch.
>
> If you are interested in the behavior of 2.3-STABLE1, I can do the testing
> for you. Just tell me how can I get to the info you need. All I have to to
> do is turn on transparent proxy and wait for the first infected customer to
> dial-in.

If squid is dying/exiting, you need to try to find out why. Look
in cache.log for error messages. Check your syslog for messages
about Squid too.

Perhaps you are running out of file descriptors. The Squid FAQ
has instructions for increasing your filedescriptor limits.

Perhaps you are running out of TCP ports. The worm's requests may
tie up ports in TIME_WAIT state. See
http://www.ncftpd.com/ncftpd/doc/misc/ephemeral_ports.html for
information on how to increase the ephemeral port range.

Perhaps you're running out of disk space. If the worm makes a
high rate of requests, your access.log file is growing quickly.
Received on Fri Aug 10 2001 - 15:41:52 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:34 MST