From owner-freebsd-security Thu Nov 2 12:29:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from lark.capnet.state.tx.us (lark.capnet.state.tx.us [204.65.39.249]) by hub.freebsd.org (Postfix) with ESMTP id 30FC837B479 for ; Thu, 2 Nov 2000 12:29:23 -0800 (PST) Received: from localhost (bbradsby@localhost) by lark.capnet.state.tx.us (8.10.0/8.10.0-NO UCE) with ESMTP id eA2KTGR43598; Thu, 2 Nov 2000 14:29:17 -0600 (CST) Date: Thu, 2 Nov 2000 14:29:16 -0600 (CST) From: Bryan Bradsby To: security@FreeBSD.ORG Subject: Re: DOS attack In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Have you checked your squid logs for the times when server load goes too high? Just a wild guess, but you may have an open HTTP proxy, being abused by people who get paid for each click on a banner. What is the source of the squid connections? -bryan bradsby Security@capnet.state.tx.us ============================== On Thu, 2 Nov 2000, Buliwyf McGraw wrote: > > I was researching about the last incidents on the machine with the > system load problem (possible attack) ... > I get this: the service which crash the server when the problem > starts is the famous "squid". > Normal days, the squid is running without problems and the load of > the server is 0.5 (average), the required cputime for the program > is 20%. Then the world is beatiful. > But, when we have a bad day... the squid need 90% 95% 100% cputime > and the load of the server jump until crash. The interrupts are too > big in these moments. > If i quit the network cable from the server... the load dissapear and > everything is rigth, but, if i put the network cable again... booom!!! > > The problem isnt everyday, is just sometimes, somedays... few hours. > > Thanks for any comment or sugestion... ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message