Re: [squid-users] swuid / worm weirdness

Brad,

Better to place access list on your wccp router. It will redirect only your
networks packet. I'm sure it will help.
You can also parse access.log with simple perl script and blcok IPs on your
squid box.

-- 
Best Regs,
Masood Ahmad Shah
System Administrator
^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
|   * * * * * * * * * * * * * * * * * * * * * * * *
|   Fibre Net (Pvt) Ltd. Lahore, Pakistan
|   Tel: +92-42-6677024
|   Mobile: +92-300-4277367
|   http://www.fibre.net.pk
|   * * * * * * * * * * * * * * * * * * * * * * * *
^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
----- Original Message ----- 
From: "Brad Groshok" <bg-squid@ody.ca>
To: <squid-users@squid-cache.org>
Sent: Saturday, September 13, 2003 7:27 AM
Subject: [squid-users] swuid / worm weirdness
| This topic has kind of been touched on here in the last few days.
|
| Running squid2.5stable3 on Redhat9
| Transparent mode from a cisco 7206VXR WCCP1
|
| I was just tailing access.log
| and noticed a particular ip address accessing what appeared to be random
| IP addresses. (customer using that ip address prolly hit with one of the
| latest worms)
|
| So I figgured I'd cut access from that customer till we can contact them
| and get their system cleaned up.
|
| Changed their password so they could not get logged back in.
| Then disconnected their DSL connection to our network.
|
| So at this point we don't have anybody using this particular address.
|
| Still tailing squid access.log
| Its still showing that IP address making requests to random ip addresses.
| 10 min later!!!
|
| 15 min later still a couple requests here and there, Not as frequent, but
| they are still showing up in access.log.
| And guaranteed nobody is connected to that port/ip address.
| (Sample access.log below)
|
| Is it possible that these worms are causing our squid boxes to get this
| far behind in processing request. Taking over 10 min to get caught up once
| the offending source is disconnected?
|
|
|
| Sample access.log:
|
| 1063418773.024 240213 x.x.x.x TCP_MISS/504 1353 GET
| http://219.30.176.25/ - NONE/- text/html
| 1063418773.024 240305 x.x.x.x TCP_MISS/504 1351 GET
| http://210.90.151.3/ - NONE/- text/html
| 1063418774.524 240173 x.x.x.x TCP_MISS/504 1353 GET
| http://220.71.37.187/ - NONE/- text/html
| 1063418774.524 240240 x.x.x.x TCP_MISS/504 1355 GET
| http://128.90.223.113/ - NONE/- text/html
| 1063418774.524 241519 x.x.x.x TCP_MISS/504 1353 GET
| http://211.37.25.196/ - NONE/- text/html
| 1063418775.128 240807 x.x.x.x TCP_MISS/504 1355 GET
| http://211.114.62.254/ - NONE/- text/html
| 1063418776.770 240180 x.x.x.x TCP_MISS/504 1355 GET
| http://196.46.173.122/ - NONE/- text/html
| 1063418776.770 244050 x.x.x.x TCP_MISS/504 1355 GET
| http://202.123.179.21/ - NONE/- text/html
| 1063418777.010 245607 x.x.x.x TCP_MISS/504 1353 GET
| http://61.214.68.198/ - NONE/- text/html
| 1063418777.010 246002 x.x.x.x TCP_MISS/504 1355 GET
| http://219.101.249.35/ - NONE/- text/html
| 1063418778.101 240098 x.x.x.x TCP_MISS/504 1355 GET
| http://211.50.237.107/ - NONE/- text/html
| 1063418778.101 240096 x.x.x.x TCP_MISS/504 1353 GET
| http://211.28.206.68/ - NONE/- text/html
| 1063418781.003 239995 x.x.x.x TCP_MISS/504 1355 GET
| http://211.204.118.87/ - NONE/- text/html
| 1063418781.003 239995 x.x.x.x TCP_MISS/504 1355 GET
| http://134.128.67.113/ - NONE/- text/html
|
|
|
|