[squid-users] Detecting clients flooding squid with failed request
Antony Stone
Antony.Stone at squid.open.source.it
Mon Aug 3 07:11:30 UTC 2015
On Monday 03 August 2015 at 08:06:35 (EU time), Dan Charlesworth wrote:
> Probably a lot of forward proxy users here have encountered applications
> which, if they can’t get their web requests through the proxy (because of
> 407 Proxy Auth Required or whatever), just start aggressively, endlessly
> spamming requests.
>
> A recent example would be AVG’s “cloud” features generating around 90
> requests per second from one computer. Pretty annoying.
>
> I was wondering if anyone here has any creative ideas for detecting when
> this is happening programmatically?
>
> It’s obviously easy to spot as a human if you’re looking at the access log,
> but it would be awesome if we could somehow parse some squidclient manager
> output and/or the access logs and “raise the alarm” in some way.
>
> Would love to hear anyone’s ideas about how the logic would work for
> something like this.
Depending on what action you want for "raising the alarm", I'm pretty sure
fail2ban could be configured for this.
Antony.
--
Anyone that's normal doesn't really achieve much.
- Mark Blair, Australian rocket engineer
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list