[squid-users] Malformed HTTP on tproxy squid
Eliezer Croitoru
eliezer at ngtech.co.il
Wed Aug 17 09:06:47 UTC 2016
Hey Omid,
If you know what domain or ip address causes and issue the first thing I can think about is bypassing the malicious traffic to allow other clients\users to reach the Internet.
Depends on the client and the destination you can choose the right approach.
And since squid is also being used as a http ACL enforcement tool malformed requests basically should be dropped and not bypassed automatically.
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Omid Kosari
Sent: Tuesday, August 16, 2016 1:23 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Malformed HTTP on tproxy squid
According to my other post
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-cpu-usage-100-from-few-days-ago-td4678894.html
Squid cpu usage becomes 100% when it forwatds some kind of malformed http traffic .
Even one ip address with less than 5 requests per second can grow squid cpu usage up to 30%
We have found that this request belongs to a cheap popular satellite receiver www.starmax.co . Maybe it has been infected and becomes zombie of a btnet .
Apart from the client type , my question is
Shouldn't squid have a mechanism to defend this types of problems ? Isn't possible for squid to simply ignore malformed http requests ?
Is there any workaround to prevent this problem ?
Squid is in tproxy mode with routing
Ubuntu Linux 16.04 , 4.4.0-34-generic on x86_64 Squid Cache: Version 3.5.19 from debian repository
samples % image name symbol name
1532894 42.8190 libc-2.23.so _IO_strn_overflow
1028537 28.7306 libc-2.23.so _IO_default_xsputn
662802 18.5143 libc-2.23.so vfprintf
77019 2.1514 squid /usr/sbin/squid
28861 0.8062 libc-2.23.so __memset_sse2
26948 0.7528 r8169 /r8169
25320 0.7073 libc-2.23.so __memcpy_sse2_unaligned
21712 0.6065 libc-2.23.so __GI___mempcpy
14918 0.4167 libc-2.23.so _int_malloc
8889 0.2483 nf_conntrack /nf_conntrack
8130 0.2271 libc-2.23.so __GI_strchr
6357 0.1776 libc-2.23.so _int_free
4152 0.1160 libc-2.23.so re_search_internal
4043 0.1129 libc-2.23.so strlen
2754 0.0769 libstdc++.so.6.0.21
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
2753 0.0769 libc-2.23.so free
2704 0.0755 ip_tables /ip_tables
2560 0.0715 reiserfs /reiserfs
2332 0.0651 kallsyms ___slab_alloc
2284 0.0638 libc-2.23.so malloc_consolidate
2204 0.0616 libc-2.23.so malloc
2175 0.0608 kallsyms sys_epoll_ctl
2035 0.0568 kallsyms csum_partial_copy_generic
1614 0.0451 libc-2.23.so calloc
1552 0.0434 kallsyms _raw_spin_lock
1208 0.0337 kallsyms memcpy
1203 0.0336 kallsyms nf_iterate
1177 0.0329 kallsyms irq_entries_start
1165 0.0325 kallsyms __fget
1072 0.0299 kallsyms copy_user_generic_string
1037 0.0290 kallsyms __alloc_skb
1002 0.0280 kallsyms tcp_sendmsg
945 0.0264 libc-2.23.so build_upper_buffer
875 0.0244 kallsyms kmem_cache_free
873 0.0244 kallsyms tcp_rack_mark_lost
868 0.0242 nf_nat_ipv4 /nf_nat_ipv4
861 0.0241 kallsyms kfree
837 0.0234 kallsyms __inet_lookup_established
834 0.0233 kallsyms get_partial_node.isra.61
825 0.0230 kallsyms __slab_free
815 0.0228 kallsyms sock_poll
810 0.0226 kallsyms skb_release_data
802 0.0224 nf_conntrack_ipv4 /nf_conntrack_ipv4
792 0.0221 kallsyms tcp_transmit_skb
771 0.0215 kallsyms kmem_cache_alloc
719 0.0201 kallsyms fib_table_lookup
704 0.0197 kallsyms _raw_spin_lock_irqsave
701 0.0196 kallsyms tcp_v4_rcv
699 0.0195 libm-2.23.so __ieee754_log_avx
686 0.0192 nf_nat /nf_nat
684 0.0191 kallsyms tcp_write_xmit
674 0.0188 kallsyms __cmpxchg_double_slab.isra.44
626 0.0175 kallsyms __netif_receive_skb_core
621 0.0173 libnettle.so.6.2
/usr/lib/x86_64-linux-gnu/libnettle.so.6.2
608 0.0170 kallsyms delay_tsc
600 0.0168 kallsyms ksize
595 0.0166 kallsyms tcp_ack
592 0.0165 kallsyms __local_bh_enable_i
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Malformed-HTTP-on-tproxy-squid-tp4678951.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list