[squid-users] Malformed HTTP on tproxy squid

Eliezer Croitoru eliezer at ngtech.co.il
Wed Aug 17 09:06:47 UTC 2016 

Hey Omid,

If you know what domain or ip address causes and issue the first thing I can think about is bypassing the malicious traffic to allow other clients\users to reach the Internet.
Depends on the client and the destination you can choose the right approach.
And since squid is also being used as a http ACL enforcement tool malformed requests basically should be dropped and not bypassed automatically.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Omid Kosari
Sent: Tuesday, August 16, 2016 1:23 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Malformed HTTP on tproxy squid

According to my other post
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-cpu-usage-100-from-few-days-ago-td4678894.html


Squid cpu usage becomes 100% when it forwatds some kind of malformed http traffic .
Even one ip address with less than 5 requests per second can grow squid cpu usage up to 30% 

We have found that this request belongs to a cheap popular satellite receiver www.starmax.co . Maybe it has been infected and becomes zombie of a btnet .

Apart from the client type , my question is 

Shouldn't squid have a mechanism to defend this types of problems ? Isn't possible for squid to simply ignore malformed http requests ?

Is there any workaround to prevent this problem ?




Squid is in tproxy mode with routing

Ubuntu Linux 16.04 , 4.4.0-34-generic on x86_64 Squid Cache: Version 3.5.19 from debian repository


samples  %        image name               symbol name
1532894  42.8190  libc-2.23.so             _IO_strn_overflow
1028537  28.7306  libc-2.23.so             _IO_default_xsputn
662802   18.5143  libc-2.23.so             vfprintf
77019     2.1514  squid                    /usr/sbin/squid
28861     0.8062  libc-2.23.so             __memset_sse2
26948     0.7528  r8169                    /r8169
25320     0.7073  libc-2.23.so             __memcpy_sse2_unaligned
21712     0.6065  libc-2.23.so             __GI___mempcpy
14918     0.4167  libc-2.23.so             _int_malloc
8889      0.2483  nf_conntrack             /nf_conntrack
8130      0.2271  libc-2.23.so             __GI_strchr
6357      0.1776  libc-2.23.so             _int_free
4152      0.1160  libc-2.23.so             re_search_internal
4043      0.1129  libc-2.23.so             strlen
2754      0.0769  libstdc++.so.6.0.21     
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
2753      0.0769  libc-2.23.so             free
2704      0.0755  ip_tables                /ip_tables
2560      0.0715  reiserfs                 /reiserfs
2332      0.0651  kallsyms                 ___slab_alloc
2284      0.0638  libc-2.23.so             malloc_consolidate
2204      0.0616  libc-2.23.so             malloc
2175      0.0608  kallsyms                 sys_epoll_ctl
2035      0.0568  kallsyms                 csum_partial_copy_generic
1614      0.0451  libc-2.23.so             calloc
1552      0.0434  kallsyms                 _raw_spin_lock
1208      0.0337  kallsyms                 memcpy
1203      0.0336  kallsyms                 nf_iterate
1177      0.0329  kallsyms                 irq_entries_start
1165      0.0325  kallsyms                 __fget
1072      0.0299  kallsyms                 copy_user_generic_string
1037      0.0290  kallsyms                 __alloc_skb
1002      0.0280  kallsyms                 tcp_sendmsg
945       0.0264  libc-2.23.so             build_upper_buffer
875       0.0244  kallsyms                 kmem_cache_free
873       0.0244  kallsyms                 tcp_rack_mark_lost
868       0.0242  nf_nat_ipv4              /nf_nat_ipv4
861       0.0241  kallsyms                 kfree
837       0.0234  kallsyms                 __inet_lookup_established
834       0.0233  kallsyms                 get_partial_node.isra.61
825       0.0230  kallsyms                 __slab_free
815       0.0228  kallsyms                 sock_poll
810       0.0226  kallsyms                 skb_release_data
802       0.0224  nf_conntrack_ipv4        /nf_conntrack_ipv4
792       0.0221  kallsyms                 tcp_transmit_skb
771       0.0215  kallsyms                 kmem_cache_alloc
719       0.0201  kallsyms                 fib_table_lookup
704       0.0197  kallsyms                 _raw_spin_lock_irqsave
701       0.0196  kallsyms                 tcp_v4_rcv
699       0.0195  libm-2.23.so             __ieee754_log_avx
686       0.0192  nf_nat                   /nf_nat
684       0.0191  kallsyms                 tcp_write_xmit
674       0.0188  kallsyms                 __cmpxchg_double_slab.isra.44
626       0.0175  kallsyms                 __netif_receive_skb_core
621       0.0173  libnettle.so.6.2        
/usr/lib/x86_64-linux-gnu/libnettle.so.6.2
608       0.0170  kallsyms                 delay_tsc
600       0.0168  kallsyms                 ksize
595       0.0166  kallsyms                 tcp_ack
592       0.0165  kallsyms                 __local_bh_enable_i



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Malformed-HTTP-on-tproxy-squid-tp4678951.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list