Re: [squid-users] Users spamming squid logs

From: Adrian Chadd <adrian@dont-contact.us>
Date: Mon, 30 Apr 2007 17:35:45 +0800

On Mon, Apr 30, 2007, Daniel Appleby wrote:
> Hi,
>
> We have an issue where peoples boxes that have java installed basically
> hit our proxy continuously (java must get the settings from IE). The
> proxy requires auth so it sends back a 407. The java updater ignores
> this and tries again.
>
> So our logs fill up with machines (only takes one or two) requesting the
> same file and getting the same response time after time. This is most
> cases peoples laptops so we it's hard to police the machines as they
> come and go so quickly.

Ah, I remember this. The horrible jre downloader that (a) doesn't grok auth,
and (b) fails miserably to wait anything longer than a few ms before
retrying.

I ended up just putting an ACL into Squid whenever I saw this and had the
user contact us for "help".

Alternatively you could just allow that particular URL non-authenticated
access.

Adrian

> A snip of the spam we get:
>
> 1173963552.808 1 128.184.46.108 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.810 1 128.184.118.146 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.819 9 128.184.46.108 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.822 1 128.184.46.108 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.827 3 128.184.118.146 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.828 2 128.184.46.108 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.843 4 128.184.46.108 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.843 4 128.184.118.146 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.848 1 128.184.46.108 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.853 1 128.184.46.108 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.862 4 128.184.118.146 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.863 3 128.184.46.108 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
> 1173963552.880 3 128.184.46.108 TCP_DENIED/407 11494 GET
> http://java.sun.com/webapps/download/GetFile/1.5.0_03-b07/windows-i586/jre1.5.0_03.msi
> - NONE/- text/html
>
>
> Does anyone know a way to stop people doing this? I don't really want to
> iptables them off. Can you restrict the number of requests per ip to a file?
>
> Thanks
> Daniel
>
> --
> -----------------------------------------------------------------------------
> Daniel Appleby

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -
Received on Mon Apr 30 2007 - 03:36:56 MDT

This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT