Re: [squid-users] Handling client-side request floods

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 08 Jul 2014 18:23:05 +1200

On 2014-07-08 13:17, Dan Charlesworth wrote:
> Hey folks
>
> So I support a bunch of Squid deployments and every so often I’ll get
> a call about a poor performance, or very large access logs files etc.
>
> Oftentimes as soon as I crack open the access log I see there’s a
> handful of machines (sometimes just one) practically DoSing the proxy
> with failed requests (failing because the client app won’t comply with
> proxy authentication).
>
> Here’s a recent example of one of these bugs from Google Chrome:
> https://code.google.com/p/chromium/issues/detail?id=373181
>
> So I just wanted to see if anyone had any advice or suggestions for
> dealing with this kind of thing. I’m guessing iptables would be the
> logical place to try and prevent it, but I wouldn’t know where to
> start with rate limiting in iptables…
>
> Anyone care to share?

Andrew Beverleys QoS and traffic shaping documentation
(<http://andybev.com/index.php/Main_Page>) is probably the best place to
look for iptables based solutions, with the official netfilter
documentation coming in second.

Squid-3.5 is coming with a new helper (ext_delayer_acl) which can be
configured to help in this type of situation. For older Squid versions
you can download the perl script from
<http://bazaar.launchpad.net/~squid/squid/trunk/files/head:/helpers/external_acl/delayer/>
- documentation for it is inside the script.

Amos
Received on Tue Jul 08 2014 - 06:23:15 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 08 2014 - 12:00:05 MDT