RE: [squid-users] SQUID and Welchia Worm (DoS)

From: Henrik Nordstrom <[email protected]>
Date: Wed, 14 Apr 2004 14:46:55 +0200 (CEST)

On Wed, 14 Apr 2004, pmquan wrote:

> But it is impossible with me, i have more than 4'000 concurrent clients
> infected with this virus. I cant firewall all of them and they are using
> dynamic ip address. Do you have another way?

iptables patch-o-matic has a match which could help in making a generic
firewall rule blocking misbehaving stations.. just make sure to make
reasonable exceptions for any child caches you may have.

also make sure to use "half_closed_clients off" in squid.conf

Use of proxy authentication should also quite effectively stop these
worms, but will cost you quite a bit of CPU time on the proxy server..

In any event you need to make sure to have the infected stations cleaned
one way or another.

Regards
Henrik
Received on Wed Apr 14 2004 - 06:47:02 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:02 MDT