Search squid archive

Re: Help to understand tcp_denied in access.log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 4/13/23 21:23, andre.bolinhas@xxxxxxxxxxxxxx wrote:


I'm seeing to many requests to website mainnet.infura.io, by analyzing the
access.log seams that the website is blocked
Which directive/mechanism blocks them (e.g., http_access, reply_body_max_size, ICAP/eCAP, etc.)?
Each TCP_DENIED request is consuming 400000+ bytes
Assuming you do not use huge custom TCP_DENIED error pages, I agree that these entries look suspicious, as if Squid denied access but continued to tunnel the traffic. The response times are fairly small, but probably large enough to transmit those amounts of data from a fast server.
Since most requests (for the affected domain) are problematic, can you collect a packet trace and see if you can confirm that these transactions transmit a lot of data from Squid to the client? If IPs are not enough, logging client TCP port (%>p) may help you match specific access.log entries with TCP connections in the packet trace...
What Squid version are you using for this? Does SslBump affect the problematic transactions? 


Thank you,

Alex.




but I also notice that the
request is consuming bandwidth, here a example
Squid access.log format.
%ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a:%<p %mt mac="%>eui"
%note ua="%{User-Agent}>h" exterr="%err_code|%err_detail"

Access.log request.
1681099742.517     35 10.81.216.114 TCP_DENIED_ABORTED/407 41154 CONNECT
mainnet.infura.io:443 - HIER_NONE/-:- text/html mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
exterr="ERR_CACHE_ACCESS_DENIED|-"

1681099742.575     41 10.81.216.114 TCP_DENIED/407 511819 CONNECT
mainnet.infura.io:443 - HIER_NONE/-:- text/html mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
exterr="ERR_CACHE_ACCESS_DENIED|-"

1681099742.664     73 10.81.216.114 NONE/200 0 CONNECT mainnet.infura.io:443
HLBHO/tsyafiq HIER_NONE/-:- - mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0Auser:%20HLBHO/tsyafiq%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac
OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36" exterr="-|-"

1681099742.685     20 10.81.216.114 TCP_DENIED_ABORTED/403 450655 CONNECT
mainnet.infura.io:443 HLBHO/tsyafiq HIER_NONE/-:- text/html
mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0Auser:%20HLBHO/tsyafiq%0D%0A ua="-" exterr="ERR_ACCESS_DENIED|-"

Each TCP_DENIED request is consuming 400000+ bytes so at the end of the day
sometimes I have a total of 56k request to mainnet.infura.io consuming
around 15GB of bandwidth.

My question is, assuming that %<st is the total size of reply, why
TCP_DENIED is taking a lot of bandwidth to block a website?

Best regards




_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux