RE: [squid-users] SQUID and Welchia Worm (DoS)

From: pmquan <pmquan@dont-contact.us>
Date: Wed, 14 Apr 2004 18:55:52 +0700

Thanx for your help.

But it is impossible with me, i have more than 4'000 concurrent clients
infected with this virus. I cant firewall all of them and they are using
dynamic ip address. Do you have another way?

 

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Wednesday, April 14, 2004 06:45 PM
To: pmquan
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] SQUID and Welchia Worm (DoS)

On Wed, 14 Apr 2004, pmquan wrote:

> Many users in my network infected with Welchia.Worm and this virus
> send mass-request out to port 80. SQUID handle that and hang on (I can
> connect to SQUID but my SQUID didnt respone till i restarted itself).
> And it going down again after 5mins ;(

Your clients are performing a Denial of Service (DoS) attack on your Squid.

Identify the offending IP addresses from access.log and then firewall these
stations from using the proxy until they have been cleaned.

Most OS:es have good firewalling capabilities which can be used for this
purpose. Linux and *BSD for certainly does.

Regards
Henrik
Received on Wed Apr 14 2004 - 05:55:51 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:02 MDT