[squid-users] Detecting clients flooding squid with failed request

Mon Aug 3 07:11:30 UTC 2015

On Monday 03 August 2015 at 08:06:35 (EU time), Dan Charlesworth wrote:

> Probably a lot of forward proxy users here have encountered applications
> which, if they can’t get their web requests through the proxy (because of
> 407 Proxy Auth Required or whatever), just start aggressively, endlessly
> spamming requests.
> 
> A recent example would be AVG’s “cloud” features generating around 90
> requests per second from one computer. Pretty annoying.
> 
> I was wondering if anyone here has any creative ideas for detecting when
> this is happening programmatically?
> 
> It’s obviously easy to spot as a human if you’re looking at the access log,
> but it would be awesome if we could somehow parse some squidclient manager
> output and/or the access logs and “raise the alarm” in some way.
> 
> Would love to hear anyone’s ideas about how the logic would work for
> something like this.

Depending on what action you want for "raising the alarm", I'm pretty sure 
fail2ban could be configured for this.

Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                   Please reply to the list;
                                                         please *don't* CC me.