[squid-users] blocking worms

From: Brad Groshok <bg-squid@dont-contact.us>
Date: Thu, 19 Feb 2004 10:57:11 -0500 (EST)

Sorry to bring up such an old issue

Our squid boxes keep getting overwhelmed with requests from customers that
have been infected with a worm.
Infected systems keep trying to surf to random IP addresses.

Looking through past comments about this, someone has suggested blocking
requests to ip addresses.
(think this is what was suggested)

acl worm url_regex ^https?://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/.*$
http_access deny worm

Others have said this is a firewall issue and should be dealt with at the
router level.

I know this is maybe not directly squid related, but if I'm having this
issue, I'm sure other squid users are.

Which approach would be best for dealing with this problem?
Having squid deal with it, or blocking at the router level?

And if at the router level
Can anybody post a simple solution for blocking this on a cisco router.

As an ISP, Something tells me that blocking htp requests to ip addresses
is a bad thing to do. Its perfectly legit for our customers to surf to
an ip address. (We'd just like it if it wasn't happening on mass from a
worm causing a slowdown for other customers)

Actually, one last question. What is really happening here?
Is the worm making many requests, presumably to ip addresses that don't
have web servers running on them, and squid is waiting for the replies to
come back? (timing out)
Is squid getting slow because it has reached some max number of open
connections? (while waiting for these replies/timeouts)
Received on Thu Feb 19 2004 - 08:57:17 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST