Hello Eliezer, i use Linux CentOS; i think i will study fail2ban. It seems very very interesting, thank you for the suggestion! Francesco ________________________________________ Da: squid-users [squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] per conto di Eliezer Croitoru [eliezer@xxxxxxxxxxxx] Inviato: venerdì 23 ottobre 2015 1.00 A: squid-users@xxxxxxxxxxxxxxxxxxxxx Oggetto: Re: Squid 100% CPU and possible attack The simplest way is to use fail2ban. What OS are you using? it is possible an attack but it's not 100%. What you can do is to also disable access using the proxy to this destination IP and address. 100% CPU in many cases is not something odd but you can try fail2ban with a special rule to block this client in the iptables of the machine (if this is a linux..) Eliezer On 23/10/2015 00:43, Job wrote: > Hello, > > sometimes, for about half an hour, tour Squid becomes unstable and, by typing "top -s", Squid is taking the 100% of the CPU. > > In Squid's access.log, i see lots of entry like this: > > "Thu";"Oct";"22";"11:45:17";"2015";"21328";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"; > "Thu";"Oct";"22";"11:45:18";"2015";"19153";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"; > "Thu";"Oct";"22";"11:45:18";"2015";"20346";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"; > "Thu";"Oct";"22";"11:45:21";"2015";"20391";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"; > "Thu";"Oct";"22";"11:45:21";"2015";"19142";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"; > "Thu";"Oct";"22";"11:45:22";"2015";"19075";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"; > > There seem be a possible attack/exploit from an internal machine? It is the 192.168.1.250 in the example. > > Is there a patch or something to not spread up Squid to the 100% cpu limit for these "Attacks"? > > Thank you! > Francesco > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
