Re: [squid-users] outgoing traffic high.....http?? from Hendrik Voigtländer on 2004-05-26 (squid-users)

From: Hendrik Voigtländer <hendrik@dont-contact.us>
Date: Wed, 26 May 2004 21:20:17 +0200

Port 4665 and similar sounds like e-mule/ed2k.

Check your acl's, probably you are allowing to CONNECT to those ports,
this should be limited to ssl-Ports only (squid default):

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

Uploading ed2k-Client would explain high outgoing traffic.

Regards, Hendrik.

Hement Gopal wrote:
> hi all
>
> Outgoing traffic from my site has been extremely high for the last few
> months.
> I installed ntop and found that http was the top talker ...but can't run
>
> ntop for too long as I don't have enough memory on the server...as a
> result i am only getting brief snapshots of my network usage [:(]
>
> I am also running webalizer and other squid log analyzing software and
> have found the top users connecting to odd sites via odd ports. here is
>
> a sample of the reports
> ACCESSED SITE CONNECT BYTES %BYTES IN-CACHE-OUT USED TIME MILISEC %TIME
>
>
> date/time
> <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-download_microsoft_com.html>
> download.microsoft.com <http://download.microsoft.com> 24 9.418.948
> 1.46% 100.00% 0.00% 00:01:52 112.847 0.00%
> date/time
> <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-80_7_8_38_4660.html>
> 80.7.8.38:4660 <http://80.7.8.38:4660> 21 9.252.496 1.44% 0.00% 100.00%
> 03:24:38 12.278.775 0.10%
> date/time
> <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-82_48_17_148_4663.html>
> 82.48.17.148:4663 <http://82.48.17.148:4663> 27 8.770.325 1.36% 0.00%
> 100.00% 01:22:00 4.920.548 0.04%
> date/time
> <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-83_33_192_223_4665.html>
> 83.33.192.223:4665 <http://83.33.192.223:4665> 22 8.134.394 1.26% 0.00%
> 100.00% 01:20:31 4.831.163 0.04%
> date/time
> <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-82_51_9_119_6246.html>
> 82.51.9.119:6246 <http://82.51.9.119:6246> 20 8.082.783 1.26% 0.00%
> 100.00% 00:50:17 3.017.871 0.03%
> date/time
> <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-65_25_54_110_4665.html>
> 65.25.54.110:4665 <http://65.25.54.110:4665>
>
>
>
>
> The above is from one of the top five proxy users in my network...but i
> see these types of repeated connections (to various sites) coming from
> many of my other clients.
>
> I suspect that these weird outgoing connections could be causing my
> outgoing traffic graph to be high.
>
> Can a squid guru out there tell me if i'm on the right track and if
> there is anything in squid.conf i can do to stop these automated
> requests.
>
> TIA.
>
> Rgds,
> Hement Gopal
>
Received on Wed May 26 2004 - 13:20:49 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:02 MDT