>
> > The "squid_ldap_auth:" lines are coming from the helper. The problems
> > is exactly as stated, the LDAP server is not answering connection
> > requests.
> >
> > The "commBind:" lines are from squid itself. Squid-2 always uses
> > bind(), even if there is no address being bound. That message
> > indicates there is no socket available to be dedicated on the link or
> > the stack is getting confused.
> >
> > It seems like your kernel or networking is not able to cope with the
> > number of TCP sockets those thousands of requests are needing to use.
> >
>
I maybe should have made it clearer that these are hundreds of requests
per second. I can easily understand how a part of the overall process is
getting overloaded with this rate of traffic however I have only 150
users and this is a new problem. I've been running with the same config
for the last 3 months or so
>> >>
>>
> >
> > Check some of the HTTP headers arriving into Squid. Base-64 decoding
> > the "random" letter string on the Proxy-Authorization: should come on
> > up with "username:password". If the username is actually missing it is
> > probably malicious.
> >
> > For these auth symptoms on a forward proxy it would be suspicious
> > stuff coming out of the LAN to look for. Infected clients, broken
> > software becoming popular, etc.
> >
> >
> > Amos
>
Malicious/viral was/is my suspicion but as yet I can't find anything in
the tcpdump to indicate the problem machine. The username in the LDAP
query is definitely blank and I'm only seeing the LDAP requests without
a corresponding inbound auth attempt/get/connect etc. My machines are
all fully patched and have current up-to-date anti-virus so I'm kind of
at a loss. The problem does go away as my users go home and comes back
the following day which also indicates malicious/viral so I guess I'll
have to just try to isolate them into smaller groups to try and narrow
it down
If you have any other suggestions please let me know
Thanks
Paul
Received on Thu Mar 10 2011 - 13:57:52 MST
This archive was generated by hypermail 2.2.0 : Thu Mar 10 2011 - 12:00:02 MST