[squid-users] Detecting clients flooding squid with failed request
dan at getbusi.com
Mon Aug 3 07:25:50 UTC 2015
Fail2ban looks like a viable option though we would still need to write a regex definition to target this sort of behaviour. Their squid example targets aggressive hosts where my preference would be to target aggressive applications (that could be running on more than one host).
In my case “raise the alarm” would probably mean send an email to somebody and there are lots of ways to do that programmatically.
Still open to any other ideas anyone has.
> On 3 Aug 2015, at 5:11 pm, Antony Stone <Antony.Stone at squid.open.source.it> wrote:
> On Monday 03 August 2015 at 08:06:35 (EU time), Dan Charlesworth wrote:
>> Probably a lot of forward proxy users here have encountered applications
>> which, if they can’t get their web requests through the proxy (because of
>> 407 Proxy Auth Required or whatever), just start aggressively, endlessly
>> spamming requests.
>> A recent example would be AVG’s “cloud” features generating around 90
>> requests per second from one computer. Pretty annoying.
>> I was wondering if anyone here has any creative ideas for detecting when
>> this is happening programmatically?
>> It’s obviously easy to spot as a human if you’re looking at the access log,
>> but it would be awesome if we could somehow parse some squidclient manager
>> output and/or the access logs and “raise the alarm” in some way.
>> Would love to hear anyone’s ideas about how the logic would work for
>> something like this.
> Depending on what action you want for "raising the alarm", I'm pretty sure
> fail2ban could be configured for this.
> Anyone that's normal doesn't really achieve much.
> - Mark Blair, Australian rocket engineer
> Please reply to the list;
> please *don't* CC me.
> squid-users mailing list
> squid-users at lists.squid-cache.org
More information about the squid-users