RE: [squid-users] Squid HIT analysis, worm DoS mitigation, and general config tweaking

From: Elsen Marc <elsen@dont-contact.us>
Date: Wed, 25 Feb 2004 09:25:54 +0100

 
>
> New to the list. I'm sorry if this stuff is covered in a
> list FAQ somewhere
> that I'm unable to find. I have 3 main questions about the
> wonderful squid
> cache.

  FAQ :

  http://www.squid-cache.org/Doc/FAQ/FAQ.html

>
> 1. I want to analyze my squid logs graphically in terms of TCP_HIT,
> TCP_MEM_HIT
> and other codes from the logs. I'm sure there's something
> out there to do
> it already that I'm just not aware of.

  Look for various tools available in :

  http://www.squid-cache.org/Scripts/

  Also check the squid FAQ as on how to use Squid with MRTG.

>
> 2. Also, we've been feeling the brunt of all the new Welchia
> variants that
> try
> port 80 attacks through random, high-frequency portscanning,
> which saps our
> squid caches of file descriptors. From doing some previous
> list reading, I
> have set half_closed_connections to off, as well as client_persistent
> connections to off. I didn't turn server_persistent to off,
> because, well,
> it sounds important. Am I being a pansy for not doing this? I'm also

  Although a personal opinion ; I think so yes. The kind of attacks
  you describe should be handled by perimeter firewalling infrastructure.
  If you have a good fw. setup then for instance port scans should not be
  able to reach your squid box. Also that in particular is not much related
  to fd. usage as squid only listens on one port.
  Meaning that resource exhausting attacks on squid would have in any
  case be http-'applicated' based.

  

> curious how these settings help the file descriptor problem,
> as they sound
> like they adjust network connection behaviour as opposed to
> anything that
> impacts file descriptors. Can anyone shed light on how this
> works? Also,
> would there be any reason a service provider with many
> diversely screwed-up
> operating systems and corresponding screwed-up browsers would
> not want to
> muck with these Squid settings?
>
> 3. Why is the squid cache so slow when I use diskd? What
> guidelines do all
> of you use for large caches (>20GB) in terms of directory
> structure, memory
> options, and diskd/no diskd, ufs/no ufs?

  Well, read the FAQ part on diskd. Diskd often
  requires OS related tuning.

  M.

>
> Thanks,
>
> Paul
>
>
Received on Wed Feb 25 2004 - 01:26:00 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST