Re: [squid-users] How do I DOS-proof my cache

From: Amos Jeffries <>
Date: Thu, 17 Apr 2008 17:13:21 +1200

David Young wrote:
> Hi Amos,
> Unfortunately the maxconn ACL is not suitable in our circumstance, since
> we service several clients who are behind NAT'd IPs.. so there may be as
> many as 50 real browsers behind a single IP.. the collapsedforwarding
> option looks interesting, I'll keep an eye on that, thanks :)
> - David

Right. Well, with IPv4 either you or the customer using NAT is now
screwed. You can protect your business by limiting their IP or you can
remain at the mercy of their future expansions.

The middle ground on this is to use a combination of ACL to lift the
maxconn cap for NAT clients higher than then other clients. Or to roll
out IPv6 web access with Squid-3.1 as I have.

FYI: The IPv6 experience here has not been bad, the only major hurdle I
have encountered by going dual-stack is general-traffic transit to the
nearest v6-native network.


> On 17/04/2008, at 2:39 PM, Amos Jeffries wrote:
>> The 'maxconn' ACL is available in all squid to protect against this type
>> of client.
>> The collapsed forwarding feature of 2.x designed to cope with wider DDoS
>> still needs someone with time to port it into 3.x.
>> Amos

Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Received on Tue Apr 22 2008 - 13:39:37 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT