Date: Thu, 2 Nov 2000 18:26:52 -0500 (COT) From: Buliwyf McGraw <buliwyf@libertad.univalle.edu.co> To: security@FreeBSD.ORG Subject: Re: DOS attack II Message-ID: <Pine.BSF.4.21.0011021753550.20146-100000@libertad.univalle.edu.co> In-Reply-To: <Pine.BSF.4.21.0011021424150.26450-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
> Have you checked your squid logs for the times when server load goes too
> high?
It was the first thing we did... but there is not something different
or strange in the logs... i check the /var/log/messages and the squid
logs... the only special thing was what i told you:
"icmp_request bandwidth limit 105/100 pps"
Nothing more.
> Just a wild guess, but you may have an open HTTP proxy, being abused by
> people who get paid for each click on a banner.
The proxy isn't open. It is only for my domain... the problem maybe is
that we have much users... but anyway, the proxy was working good until
some weeks ago.
> What is the source of the squid connections?
All my intranet (only) do the requests. Internet give us the answers.
The next time, when the problems come back, i gonna use tcpdump to check
what is coming to the interface... i will use ttt to see what is the
protocol with more load in the segment... and then i expect get
something about the problem.
Thanks for Any coment...
> On Thu, 2 Nov 2000, Buliwyf McGraw wrote:
>
> >
> > I was researching about the last incidents on the machine with the
> > system load problem (possible attack) ...
> > I get this: the service which crash the server when the problem
> > starts is the famous "squid".
> > Normal days, the squid is running without problems and the load of
> > the server is 0.5 (average), the required cputime for the program
> > is 20%. Then the world is beatiful.
> > But, when we have a bad day... the squid need 90% 95% 100% cputime
> > and the load of the server jump until crash. The interrupts are too
> > big in these moments.
> > If i quit the network cable from the server... the load dissapear and
> > everything is rigth, but, if i put the network cable again... booom!!!
> >
> > The problem isnt everyday, is just sometimes, somedays... few hours.
> >
> > Thanks for any comment or sugestion... ;)
>
=======================================================================
Buliwyf McGraw
Administrador del Servidor Libertad
Centro de Servicios de Informacion
Universidad del Valle
=======================================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011021753550.20146-100000>