Re: [squid-users] eating cpu

From: Alceu Rodrigues de Freitas Junior <alceu.rodrigues@dont-contact.us>
Date: Mon, 28 Jan 2002 17:59:47 -0500 (EST)

the best solution for you, of course, it's to clean up all your client
machines. I had a problem with Nimda flooding a Gauntlet Firewall (from
NAI) because the virus makes HTTP request all the time. I got a lot of
"bad http header request" in the log files but you can't block these
request using a firewall because your users would do the same.

this is a mess that maybe you could check (using a sniffer) EXACTLY how
the Nimda's requests works and try to match them using firewall rules. But
this could be a rigmarole. Try to clean up your client machines. It's a
hard work, but it's worth of it.

On Tue, 29 Jan 2002, Kancha . wrote:

> I'm using a Dell PowerEdge 2300 without RAID. I'm
> using a SCSI HDD.
>
> One of the reasons squid is consuming cpu is due to
> nimda and codered. I've seen lots nimda and codered
> requests in the log file.
>
> So i put ACL to block the worms
>
> acl nimda1 url_regex -i defaul.ida
> and similar lines for root.exe and cmd.exe then
> http_access deny nimda1 and similarly for the other
> two acls
>
> Despite this the requests aren't blocked. Whenever
> there is work attack the cpu utilization just grows
> rapidly.
>
> If i could only block these worms i guess cpu
> utilization would drop.
>
> Currently I'm using ipchains to redirect port 80 to
> 3128 only for request coming from my network. My
> clients are infected with these worms. I can't have
> all my clients to clean nimda as it is impossible to
> keep track of every client.
>
> I've seen lots of people even in this list mention the
> use of iptables, so i gues i'll switch to iptables as
> well.
>
> What should be the value of cache_mem for a server
> with 256M RAM. Currently I'm using 8M. I was using 16M
> previously.
>
> --- pankaj patel <pankaj_surat@nettaxi.com> wrote:
> > I was also facing the same problem, I was using
> > Netfinity5000, I also tried
> > on assambled pc(p3-500)
> > Finally I mooved back to RHL6.2 (2.2.14-5.0)
> > squid-2.3.STABLE1-5 and its
> > working fine on both the machines.
> >
> > ----pp
> >
> > ----- Original Message -----
> > From: "Peter Smith" <peter.smith@UTSouthwestern.edu>
> > To: "Kancha ." <kancha2np@yahoo.com>
> > Cc: <squid-users@squid-cache.org>
> > Sent: Monday, January 28, 2002 10:11 PM
> > Subject: Re: [squid-users] eating cpu
> >
> >
> > > Kancha:
> > > It is entirely possible that you are using a Dell
> > box that comes with
> > > raid hardware which uses the aacraid driver. If
> > so, most likely you
> > > will have better luck downgrading to the 2.2
> > kernel. That is what I've
> > > had to do as I have 2 Dell Poweredge 2550s (with
> > the aacraid driver.)
> > > My theory is the 2.4 series has a buggy aacraid
> > driver.
> > >
> > > Peter Smith
> > > Linux Systems Administrator
> > > University of Texas Southwestern Medical Center at
> > Dallas
> > > (USA) 214 648 3111
> > > peter.smith@utsouthwestern.edu
> > >
> > >
> > > Kancha . wrote:
> > >
> > > >I'm using squid as a transparent proxy on a RH
> > 7.2
> > > >machine. The hardware that i'm using is Dell
> > Power
> > > >Edge 2300 with 256Mb Ram and 6GB HDD. I've
> > allocated
> > > >2G for cache. I've 8M and cache_mem and I'm also
> > > >running named on the server.
> > > >
> > > >Average requests / hr through the proxy is around
> > > >22000. After about 2 hours the cpu is utilized
> > more
> > > >than 90% and the system gets really slow. The
> > browsing
> > > >get really slow. Despite the available bandwidth
> > the
> > > >browsing speed drastically decreases.
> > > >
> > > >Where have i gone wrong ?? I'm using ipchains and
> > > >redirecting all my web traffic throuh the router.
> > > >
> > > >Under this circumstance what would be the idle
> > > >configuration ??
> > > >
> > > >
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions!
> http://auctions.yahoo.com
>
> .
>

-- 
Go away or I'll replace you with a very short shell script.
Received on Tue Jan 29 2002 - 04:58:24 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:58 MST