Re: [squid-users] Blocking worm(s)

On Thu, 19 Feb 2004, Brad Groshok wrote:

> Looking through past comments about this, someone has suggested blocking
> requests to ip addresses.
> (think this is what was suggested)
>
> acl worm url_regex ^https?://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/.*$
> http_access deny worm

This should work, but will also block users from accessing such pages.

> Others have said this is a firewall issue and should be dealt with at the
> router level.

This is best, but hard to automate.

> Which approach would be best for dealing with this problem?
> Having squid deal with it, or blocking at the router level?
>
> And if at the router level
> Can anybody post a simple solution for blocking this on a cisco router.

It does not need to be in the router. Almost all OS:es where Squid runs
has firewalling capabilities allowing you to install filters like these.

Doing it on the proxy server makes like a lot easier, as you can then have
a small program with monitors the proxy access log for dubious activity
and blocks the IP addresses generatign such traffic.

> Actually, one last question. What is really happening here?
> Is the worm making many requests, presumably to ip addresses that don't
> have web servers running on them, and squid is waiting for the replies to
> come back? (timing out)

If you see a lot of requests for IP addresses or certain web site from a
few clients, where a lot is in proportion to the amount of normal traffic
then something hairy is going on at those clients, usually a worm.

> Is squid getting slow because it has reached some max number of open
> connections? (while waiting for these replies/timeouts)

Squid performance degrades if it needs to keep very many connections, and
gets very poor if it runs out of filedescriptors (see cache.log for
warnings about this)

Configuration directives which helps somewhat is (in priority order)

half_closed_clients off
client_persistent_connections off
server_persistent_connections off

Regards
Henrik