I have had a problem in the last few weeks where our incoming bandwidth to
squid just soared to flood our entire bandwidth to the net (3MBps). I
rebooted squid and it all went away.
Today this happened again. I fired up tcpdump and saw that it was http
packets coming in from termsvr-sc.nai.com, which is Network Associates,
the makers of mcaffee virus scan. Here is some output.
[asteroid:~] $ nslookup termsvr-sc.nai.com
Server: luna.shreve.net
Address: 208.206.76.2
Non-authoritative answer:
Name: termsvr-sc.nai.com
Addresses: 208.228.228.231, 208.228.228.235, 208.228.228.237,
208.228.228.238
208.228.228.239, 208.228.228.241
[root@constellation logs]# grep 208.228.228 access.log
.
<alot deleted>
.
.
913217026.045 RELEASE FFFFFFFF 200 913213894 -1 -1
application/x-mcafee-ec-1*7d3a13f3-9487e54e-dc1b60f3 512/10648562 POST
http://208.228.228.238/ECom/Pull/EcomPullDLL.dll?
913217062.369 RELEASE FFFFFFFF 200 913213867 -1 -1
application/x-mcafee-ec-1*382f70a7-b2c9623-4f55b501 512/10648562 POST
http://208.228.228.238/ECom/Pull/EcomPullDLL.dll?
913217085.047 RELEASE FFFFFFFF 200 913214717 -1 -1
application/x-mcafee-ec-1*bd8ca470-b1e289ac-3e39dc6f 512/10648562 POST
http://208.228.228.238/ECom/Pull/EcomPullDLL.dll?
913217111.504 RELEASE FFFFFFFF 200 913213960 -1 -1
application/x-mcafee-ec-1*c86b87a5-6d1943b0-15468a25 512/10648562 POST
http://208.228.228.238/ECom/Pull/EcomPullDLL.dll?
913217116.722 RELEASE FFFFFFFF 200 913214760 -1 -1
application/x-mcafee-ec-1*c72c1562-ce57ba0f-bd626629 512/10648126 POST
http://208.228.228.238/ECom/Pull/EcomPullDLL.dll?
913214509.691 43353
208.214.44.131 TCP_MISS/200 1800 POST
http://208.228.228.237/ECom/Pull/EcomPullDLL.dll? - DIRECT/208.228.228.237
application/x-mcafee-ec-1*3746468a-9646a98e-4dfa0b82
913215596.523 17371 208.214.44.131 TCP_MISS/200 774 POST
http://208.228.228.237/ECom/Pull/EcomPullDLL.dll? - DIRECT/208.228.228.237
application/x-mcafee-ec-1*4fba7790-616da186-9f857147
913215638.669 40972 208.214.44.131 TCP_MISS/200 1800 POST
http://208.228.228.237/ECom/Pull/EcomPullDLL.dll? - DIRECT/208.228.228.237
application/x-mcafee-ec-1*95d27431-a9841247-17dd65b8
Does anyone know what would cause termsvr-sc.nai.com to spew massive
amounts of data at my squid? Could squid be in some kind of infinite
get/request loop with nai.com to flood our pipes? I can get any data
anyone needs to help in track this down.
The number of requests for nai.com was not in line with what was coming
in. I could tail -f the access and store logs and grep for 208.228.228
and see NOTHING, yet if I did a tcpdump and greped for 208.228.228 it was
overwhelming.
I appreciate any help anyone can offer. Thanks.
Brian
--------------------------------------------------------------------------
Brian Feeny (BF304) | ShreveNet Inc. - Premium Internet Service Provider
Network Administrator | Shreveport, Louisiana - http://www.shreve.net/
signal@shreve.net | Web Hosting, Virtual Domains, Storefronts,
(318)222-2NET x 109 | Database/Web Integration, 56k, ISDN, T1
Received on Wed Dec 09 1998 - 08:50:18 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:36 MST