On Tue, Aug 17, 2010 at 17:03, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
> Nyamul Hassan wrote:
>>
>> Hi,
>>
>> One of proxies died down today, because the log files were overwhelming:
>>
>> -rw-r----- 1 squid squid 61440 Aug 17 16:01 access.log
>> -rw-r----- 1 squid squid 523366451 Aug 17 02:59 access.log.0
>> -rw-r----- 1 squid squid 771658231 Aug 17 00:00 access.log.1
>> -rw-r----- 1 squid squid 562853886 Aug 16 21:00 access.log.2
>> -rw-r----- 1 squid squid 618221433 Aug 16 18:00 access.log.3
>> -rw-r----- 1 squid squid 572403480 Aug 16 15:00 access.log.4
>> -rw-r----- 1 squid squid 379977665 Aug 16 12:00 access.log.5
>> -rw-r----- 1 squid squid 348474013 Aug 16 09:00 access.log.6
>> -rw-r----- 1 squid squid 367307983 Aug 16 06:00 access.log.7
>> -rw-r----- 1 squid squid 663904388 Aug 16 03:00 access.log.8
>> -rw-r----- 1 squid squid 735110835 Aug 16 00:00 access.log.9
>> -rw-r----- 1 squid squid 36715761664 Aug 17 16:01 cache.log
>> -rw-r----- 1 squid squid 14262776941 Aug 17 03:00 cache.log.0
>> -rw-r----- 1 squid squid 955445 Aug 17 00:00 cache.log.1
>> -rw-r----- 1 squid squid 748262 Aug 16 21:00 cache.log.2
>> -rw-r----- 1 squid squid 1069482 Aug 16 18:00 cache.log.3
>> -rw-r----- 1 squid squid 698758 Aug 16 15:00 cache.log.4
>> -rw-r----- 1 squid squid 497547 Aug 16 11:59 cache.log.5
>> -rw-r----- 1 squid squid 271153 Aug 16 08:59 cache.log.6
>> -rw-r----- 1 squid squid 355351 Aug 16 05:59 cache.log.7
>> -rw-r----- 1 squid squid 759748 Aug 16 02:59 cache.log.8
>> -rw-r----- 1 squid squid 1037802 Aug 15 23:59 cache.log.9
>>
>> As you can see, those "HUGE" cache log files were filled up in less
>> than 12 hours. Opening them up, I find they were filled with the
>> following lines, repeated over and over again:
>>
>> 2010/08/17 02:33:11| comm_accept: FD 28: (22) Invalid argument
>> 2010/08/17 02:33:11| httpAccept: FD 28: accept failure: (22) Invalid argument
>> 2010/08/17 02:33:11| comm_accept: FD 28: (22) Invalid argument
>> 2010/08/17 02:33:11| httpAccept: FD 28: accept failure: (22) Invalid argument
>> 2010/08/17 02:33:11| comm_accept: FD 28: (22) Invalid argument
>> 2010/08/17 02:33:11| httpAccept: FD 28: accept failure: (22) Invalid argument
>>
>> And, that is the time from when it started. Is there any way to
>> determine what is causing this?
>
> Start with the Squid version and what settings your http_port are configured with.
>
> Then we check for what it means. Google locates several requests, strangely around August each year for the last few.
>
> Someone describes it thus: "The problem is however elsewhere, since it somewhere fails to obtain a socket (or has its socket destroyed by the kernel somehow) so that when it calls accept(2) on the socket it's not a socket any more."
>
> Might be a SYN-flood DoS by that description. But your OS security should be catching such a thing before it gets near any internal software like Squid.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.6
> Beta testers wanted for 3.2.0.1
Squid 2.7STABLE9
http_port 3128 transparent
iptables is running, but no rules are there.
Regards
HASSAN
Received on Tue Aug 17 2010 - 11:12:01 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 17 2010 - 12:00:02 MDT