RE: [squid-users] New exploit? Two squid proxies simultaneously spike to 99 percent CPU utilization.

MSN messenger was down during that period, do u observed an increased in SYN
packet count?

-----Original Message-----
From: Elsen Marc [mailto:elsen@imec.be]
Sent: Tuesday, October 12, 2004 1:43 PM
To: Spam; squid-users@squid-cache.org
Subject: RE: [squid-users] New exploit? Two squid proxies simultaneously
spike to 99 percent CPU utilization.

> This is freaky.
>
> I use Big Sister to monitor my networks. Earlier today, I began
> getting CPU utilization messages on two of my proxies. Each proxy was
> reporting 99 percent utilization, caused by the squid process. These =
> proxies
> are located at completely different businesses located on
> opposite ends =
> of
> town, and they have no affiliation with each other.
>
> I investigated for a few hours and I couldn't find a reason. The
> access logs weren't excessive and there didn't seem to be a lot of =
> traffic
> through the proxies.
>
> Then I looked at my big sister trend logs and really freaked
> out. They =
> both
> started spiking at almost EXACTLY the same time and in
> EXACTLY the same =
> pattern.
> To see what I mean, check out the patterns:
>
> http://www.corn-bread.org/admintest.bmp
> http://www.corn-bread.org/rudolph.bmp
>
> Note that the times, severity of the spike, etc are roughly the same.
>
>
> Both systems are redhat 9 running squid rpms (squid-2.5.STABLE1-3.9).
>
> I can post my squid.confs if needed.
>
> Any known issues right now?

  I got it too.

  Quite remarkable; perhaps it is not an exploit but due to a chunk
  of the Internet becoming available , making SQUID check on
  hanging connections. I don't know.

  Some insights may perhaps come from , when it happens again :

        % squid -k debug ; sleep 2; squid -k debug

  Check cache.log afterwards.

  M.
Received on Tue Oct 12 2004 - 00:13:45 MDT