Re: [squid-users] New exploit? Two squid proxies simultaneously spike to 99 percent CPU utilization.

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 13 Oct 2004 12:59:53 +0200 (CEST)

On Wed, 13 Oct 2004, Matus UHLAR - fantomas wrote:

> I'd try to find out which clients caused the problem and disable them
> proxy access. afaik, this problem comes from badly configured
> ("overfirewalled") clients, and fixing them would be imho better than
> turning half_closed_clients off

Unfortunately not the case. This has nothing or very little to do with
firewalling.

When half_closed_clients is in it's default "on" Squid can not detect if
a client aborted the connection or simply half-closed it until there is a
response to send to the client. This makes a major difference when a
frequently requested web site is unreachable as you will then get very
many requests waiting for the web server to respond, and Squid can not
detect that the clients have aborted their requests forcing Squid to keep
all those connections until timeout (normally 2 minutes per request).

What is true is that with "half_closed_clients on" and over firewalled
clients Squid will have a even harder time as it then may not even be able
to detect the aborted connection in a timely fashion even when finally
sending the response to the client. This occurs if the client firewall has
expired the connection and the firewall is set to drop (not reset) unknown
traffic. But in most cases the response is quite small allowing Squid to
detatch from the connection making this only a worry for the TCP/IP stack
of ths server where Squid runs.

Regards
Henrik
Received on Wed Oct 13 2004 - 04:59:58 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST