Anatoly Oreshkin wrote:
>
> Hello,
>
> We have squid server version squid-3.0.STABLE11-20090112 running on
> Scientific Linux 4.4.
> I noticed that sometimes, usually in working hours input traffic sharply
> increases. I saw this increase in GANGLIA graph for proxy server I
> looked into squid log files but did not found that proxy clients
> increased their activity during these input traffic peaks.
> Then I continued to investigate the case with tcpdump:
>
> tcpdump -A -i eth0
>
> and discovered many tcp connections to external sites on port 80.
> But I did not find the names of these sites in squid logs
> although if clients access these sites then site names should be
> present in squid logs.
>
> Here is extract from tcpdump output:
>
> 11:28:15.232848 IP 194.187.97.85.webazilla.com.http >
> proxyter.pnpi.spb.ru.55605: . 1:1449(1448) ack 349 win 33304
> <nop,nop,timestamp 2902195045 1662548939>
> 11:28:15.232871 IP proxyter.pnpi.spb.ru.55605 >
> 194.187.97.85.webazilla.com.http: . ack 1449 win 2184
> <nop,nop,timestamp 1662549003 2902195045>
> 11:28:15.232878 IP 194.187.97.85.webazilla.com.http >
> proxyter.pnpi.spb.ru.55605: . 1449:2897(1448) ack 349 win 33304
> <nop,nop,timestamp 2902195045 1662548939>
> 11:28:15.232889 IP proxyter.pnpi.spb.ru.55605 >
> 194.187.97.85.webazilla.com.http: . ack 2897 win 2908
> <nop,nop,timestamp 1662549003 2902195045>
> 11:28:15.232896 IP 194.187.97.85.webazilla.com.http >
> proxyter.pnpi.spb.ru.55605: P 2897:4097(1200) ack 349 win 33304
> <nop,nop,timestamp 2902195045 1662548939>
> 11:28:15.232906 IP proxyter.pnpi.spb.ru.55605 >
> 194.187.97.85.webazilla.com.http: . ack 4097 win 3632
> <nop,nop,timestamp 1662549003 2902195045>
>
>
> proxyter.pnpi.spb.ru is our proxy server name. It is trying to access
> 194.187.97.85.webazilla.com on port 80. However there is no references
> to 194.187.97.85.webazilla.com in squid log files.
But there might be a reference to another name that maps to the same
IP... http://en.wikipedia.org/wiki/Reverse_DNS_lookup
When you see odd traffic like this, run...
squidclient cache_object://localhost/active_requests|grep ^uri
...to get a list of the hosts which are involved in active connections.
Find the IP address each of these hosts maps to, and then perform a
reverse DNS lookup on each of those IPs.
For what it's worth, webazilla.com appears to be a hosting company, so
it's likely that one of your customers was surfing to a site hosted with
webazilla.com's service.
> It is very strange. When I stop squid then these tcp connection
> disappear.
> The names of these sites are different, for example just IP
> address,88.208.22.108 or 80-239-152-58.customer.teliacarrier.com.
Probably the same story, different hosts.
>
>
> We have such squid logs enabled: access.log, referer.log, store.log,
> useragent.log.
>
> Here is extract from squid.conf:
>
> ---------------------------------
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> ...
>
> acl allowed_hosts src <intranet client hosts>
> ...
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> ...
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access deny denied_hosts
> http_access allow allowed_hosts
>
> http_access deny all
> http_port 3128
> icp_port 0
That looks fine.
>
> -----------------------------------------
>
>
> What might be the cause of this strange situation ?
> How could I figure out why this happens ?
> Any hints, any thoughts.
>
> Thanks.
>
Chris
Received on Thu Jan 15 2009 - 20:48:43 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 16 2009 - 12:00:03 MST