[squid-users] Help to understand tcp_denied in access.log

andre.bolinhas at articatech.com andre.bolinhas at articatech.com
Fri Apr 14 01:23:37 UTC 2023 

Hi
I'm seeing to many requests to website mainnet.infura.io, by analyzing the
access.log seams that the website is blocked but I also notice that the
request is consuming bandwidth, here a example
Squid access.log format.
%ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a:%<p %mt mac="%>eui"
%note ua="%{User-Agent}>h" exterr="%err_code|%err_detail"

Access.log request.
1681099742.517     35 10.81.216.114 TCP_DENIED_ABORTED/407 41154 CONNECT
mainnet.infura.io:443 - HIER_NONE/-:- text/html mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
exterr="ERR_CACHE_ACCESS_DENIED|-"

1681099742.575     41 10.81.216.114 TCP_DENIED/407 511819 CONNECT
mainnet.infura.io:443 - HIER_NONE/-:- text/html mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"
exterr="ERR_CACHE_ACCESS_DENIED|-"

1681099742.664     73 10.81.216.114 NONE/200 0 CONNECT mainnet.infura.io:443
HLBHO/tsyafiq HIER_NONE/-:- - mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0Auser:%20HLBHO/tsyafiq%0D%0A ua="Mozilla/5.0 (Macintosh; Intel Mac
OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0
Safari/537.36" exterr="-|-"

1681099742.685     20 10.81.216.114 TCP_DENIED_ABORTED/403 450655 CONNECT
mainnet.infura.io:443 HLBHO/tsyafiq HIER_NONE/-:- text/html
mac="00:00:00:00:00:00"
category:%20143%0D%0Acategory-name:%20Trackers%0D%0Aclog:%20cinfo:143-Tracke
rs;%0D%0Auser:%20HLBHO/tsyafiq%0D%0A ua="-" exterr="ERR_ACCESS_DENIED|-"

Each TCP_DENIED request is consuming 400000+ bytes so at the end of the day
sometimes I have a total of 56k request to mainnet.infura.io consuming
around 15GB of bandwidth.

My question is, assuming that %<st is the total size of reply, why
TCP_DENIED is taking a lot of bandwidth to block a website?

Best regards

More information about the squid-users mailing list