> > > The "squid_ldap_auth:" lines are coming from the helper. The problems > > is exactly as stated, the LDAP server is not answering connection > > requests. > > > > The "commBind:" lines are from squid itself. Squid-2 always uses > > bind(), even if there is no address being bound. That message > > indicates there is no socket available to be dedicated on the link or > > the stack is getting confused. > > > > It seems like your kernel or networking is not able to cope with the > > number of TCP sockets those thousands of requests are needing to use. > > > I maybe should have made it clearer that these are hundreds of requests per second. I can easily understand how a part of the overall process is getting overloaded with this rate of traffic however I have only 150 users and this is a new problem. I've been running with the same config for the last 3 months or so >> >> >> > > > > Check some of the HTTP headers arriving into Squid. Base-64 decoding > > the "random" letter string on the Proxy-Authorization: should come on > > up with "username:password". If the username is actually missing it is > > probably malicious. > > > > For these auth symptoms on a forward proxy it would be suspicious > > stuff coming out of the LAN to look for. Infected clients, broken > > software becoming popular, etc. > > > > > > Amos > Malicious/viral was/is my suspicion but as yet I can't find anything in the tcpdump to indicate the problem machine. The username in the LDAP query is definitely blank and I'm only seeing the LDAP requests without a corresponding inbound auth attempt/get/connect etc. My machines are all fully patched and have current up-to-date anti-virus so I'm kind of at a loss. The problem does go away as my users go home and comes back the following day which also indicates malicious/viral so I guess I'll have to just try to isolate them into smaller groups to try and narrow it down If you have any other suggestions please let me know Thanks Paul
