Nyamul Hassan wrote:
Hi, One of proxies died down today, because the log files were overwhelming: -rw-r----- 1 squid squid 61440 Aug 17 16:01 access.log -rw-r----- 1 squid squid 523366451 Aug 17 02:59 access.log.0 -rw-r----- 1 squid squid 771658231 Aug 17 00:00 access.log.1 -rw-r----- 1 squid squid 562853886 Aug 16 21:00 access.log.2 -rw-r----- 1 squid squid 618221433 Aug 16 18:00 access.log.3 -rw-r----- 1 squid squid 572403480 Aug 16 15:00 access.log.4 -rw-r----- 1 squid squid 379977665 Aug 16 12:00 access.log.5 -rw-r----- 1 squid squid 348474013 Aug 16 09:00 access.log.6 -rw-r----- 1 squid squid 367307983 Aug 16 06:00 access.log.7 -rw-r----- 1 squid squid 663904388 Aug 16 03:00 access.log.8 -rw-r----- 1 squid squid 735110835 Aug 16 00:00 access.log.9 -rw-r----- 1 squid squid 36715761664 Aug 17 16:01 cache.log -rw-r----- 1 squid squid 14262776941 Aug 17 03:00 cache.log.0 -rw-r----- 1 squid squid 955445 Aug 17 00:00 cache.log.1 -rw-r----- 1 squid squid 748262 Aug 16 21:00 cache.log.2 -rw-r----- 1 squid squid 1069482 Aug 16 18:00 cache.log.3 -rw-r----- 1 squid squid 698758 Aug 16 15:00 cache.log.4 -rw-r----- 1 squid squid 497547 Aug 16 11:59 cache.log.5 -rw-r----- 1 squid squid 271153 Aug 16 08:59 cache.log.6 -rw-r----- 1 squid squid 355351 Aug 16 05:59 cache.log.7 -rw-r----- 1 squid squid 759748 Aug 16 02:59 cache.log.8 -rw-r----- 1 squid squid 1037802 Aug 15 23:59 cache.log.9 As you can see, those "HUGE" cache log files were filled up in less than 12 hours. Opening them up, I find they were filled with the following lines, repeated over and over again: 2010/08/17 02:33:11| comm_accept: FD 28: (22) Invalid argument 2010/08/17 02:33:11| httpAccept: FD 28: accept failure: (22) Invalid argument 2010/08/17 02:33:11| comm_accept: FD 28: (22) Invalid argument 2010/08/17 02:33:11| httpAccept: FD 28: accept failure: (22) Invalid argument 2010/08/17 02:33:11| comm_accept: FD 28: (22) Invalid argument 2010/08/17 02:33:11| httpAccept: FD 28: accept failure: (22) Invalid argument And, that is the time from when it started. Is there any way to determine what is causing this?
Start with the Squid version and what settings your http_port are configured with.
Then we check for what it means. Google locates several requests, strangely around August each year for the last few.
Someone describes it thus: "The problem is however elsewhere, since it somewhere fails to obtain a socket (or has its socket destroyed by the kernel somehow) so that when it calls accept(2) on the socket it's not a socket any more."
Might be a SYN-flood DoS by that description. But your OS security should be catching such a thing before it gets near any internal software like Squid.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.6 Beta testers wanted for 3.2.0.1
