David Young wrote:
Hi Amos,
Unfortunately the maxconn ACL is not suitable in our circumstance, since
we service several clients who are behind NAT'd IPs.. so there may be as
many as 50 real browsers behind a single IP.. the collapsedforwarding
option looks interesting, I'll keep an eye on that, thanks :)
- David
Right. Well, with IPv4 either you or the customer using NAT is now
screwed. You can protect your business by limiting their IP or you can
remain at the mercy of their future expansions.
The middle ground on this is to use a combination of ACL to lift the
maxconn cap for NAT clients higher than then other clients. Or to roll
out IPv6 web access with Squid-3.1 as I have.
FYI: The IPv6 experience here has not been bad, the only major hurdle I
have encountered by going dual-stack is general-traffic transit to the
nearest v6-native network.
Amos
On 17/04/2008, at 2:39 PM, Amos Jeffries wrote:
The 'maxconn' ACL is available in all squid to protect against this type
of client.
The collapsed forwarding feature of 2.x designed to cope with wider DDoS
still needs someone with time to port it into 3.x.
http://wiki.squid-cache.org/Features/CollapsedForwarding
Amos
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
