Re: [squid-users] Reverse - Apache - Syn Flood

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Sun, 02 Nov 2008 21:51:43 +0100

On sön, 2008-11-02 at 20:34 +0200, Mehmet CELIK wrote:

> I want to setup Squid reverse proxy for my apache servers. But.. Can
> Squid protect my apache servers from Syn flood and Bot-Net attack ? or
> Squid drop this connection, when apache is the syn_recv ? or Squid
> Reverse be enough to this as resource ? or Can it be resource problem?

syn floods isn't really a big problem with correct OS tuning, only costs
memory and a little bit of CPU to deal with. You need a sufficiently
large SYN backlog. This is independent of Squid, same for any TCP
service.

Connection flooding is worse.. and requires offending clients to be
blacklisted by firewalling once identified.

Hmm... we probably should do something about that in Squid as well..
there is a good beginner task for anyone interested in Squid
development. http://wiki.squid-cache.org/Features/TCPAccess

Regards
Henrik

Received on Sun Nov 02 2008 - 20:51:48 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 03 2008 - 12:00:03 MST