mån 2006-04-10 klockan 15:08 +0200 skrev Michał Margula: > Hello! > > I have some trouble with new kind of flood targeted at proxy server. > One hosts creates thousands of new connections. Is there a way to > protect against that at squid level? I would like to avoid doing it with > netfilter, because it is hard to guess acceptable limit of connections > (browsers tend to open many of them when viewing one page with many > pictures, flash, java applets and so on). > > It is snippet from access.log. > > > 1144674534.008 99296 A.B.C.D TCP_MISS/000 0 GET http://A.B.223.254/ - > NONE/- - Fairly normal when there is a station infected with a virus/worm.. Can only be combated with a combination of Squid access logs and iptables, blacklisting stations making too many failed IP based requests. Combating these in Squid alone isn't very useful as they tend to just bash Squid even harder if rejected by Squid alone. A simple solution is a small daemon tailing the Squid access.log looking for TCP_MISS/000 records with IP based URLs, and when seeing too many from the same station within a minute or so automatically add an iptables rule blacklisting this host. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
