[squid-users] Squid 100% CPU and possible attack
Amos Jeffries
squid3 at treenet.co.nz
Fri Oct 23 04:36:28 UTC 2015
On 23/10/2015 10:43 a.m., Job wrote:
> Hello,
>
> sometimes, for about half an hour, tour Squid becomes unstable and, by typing "top -s", Squid is taking the 100% of the CPU.
>
> In Squid's access.log, i see lots of entry like this:
>
> "Thu";"Oct";"22";"11:45:17";"2015";"21328";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"
> "Thu";"Oct";"22";"11:45:18";"2015";"19153";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"
> "Thu";"Oct";"22";"11:45:18";"2015";"20346";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"
> "Thu";"Oct";"22";"11:45:21";"2015";"20391";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"
> "Thu";"Oct";"22";"11:45:21";"2015";"19142";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"
> "Thu";"Oct";"22";"11:45:22";"2015";"19075";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:8080/cgi-bin/a2/out.cgi";"-";"DIRECT/192.168.1.254";"-"
>
> There seem be a possible attack/exploit from an internal machine? It is the 192.168.1.250 in the example.
>
> Is there a patch or something to not spread up Squid to the 100% cpu limit for these "Attacks"?
>
That looks like the side effects of a forwarding loop DoS. Look for the
following line in your squid.conf and remove it:
via off
That should return to Squid its ability to actually detect and abort
looping behaviour quickly and let you find the real problem. I suspect
it is a bad NAT configuration.
Amos
More information about the squid-users
mailing list