[squid-users] Detecting clients flooding squid with failed request

[Dan Charlesworth]

Probably a lot of forward proxy users here have encountered applications which, if they can’t get their web requests through the proxy (because of 407 Proxy Auth Required or whatever), just start aggressively, endlessly spamming requests.

A recent example would be AVG’s “cloud” features generating around 90 requests per second from one computer. Pretty annoying.

I was wondering if anyone here has any creative ideas for detecting when this is happening programmatically?

It’s obviously easy to spot as a human if you’re looking at the access log, but it would be awesome if we could somehow parse some squidclient manager output and/or the access logs and “raise the alarm” in some way.

Would love to hear anyone’s ideas about how the logic would work for something like this.

Cheers
Dan