RE: [squid-users] Request header is too large

From: Elsen Marc <[email protected]>
Date: Fri, 23 Apr 2004 10:13:45 +0200

 
>
> Hello All
>
> I am getting a lot of these messages in my cache.log
>
> 2004/04/23 02:21:02| Request header is too large (10494 bytes)
> 2004/04/23 02:21:02| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:21:30| Request header is too large (11680 bytes)
> 2004/04/23 02:21:30| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:24:27| Request header is too large (10494 bytes)
> 2004/04/23 02:24:27| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:24:50| Request header is too large (11680 bytes)
> 2004/04/23 02:24:50| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:26:07| Request header is too large (10494 bytes)
> 2004/04/23 02:26:07| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:26:44| Request header is too large (11680 bytes)
> 2004/04/23 02:26:44| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:27:28| Request header is too large (10494 bytes)
> 2004/04/23 02:27:28| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:27:50| Request header is too large (12287 bytes)
> 2004/04/23 02:27:50| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:32:31| Request header is too large (12287 bytes)
> 2004/04/23 02:32:31| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:34:13| Request header is too large (10494 bytes)
> 2004/04/23 02:34:13| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:34:29| Request header is too large (11680 bytes)
> 2004/04/23 02:34:29| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:35:12| Request header is too large (11954 bytes)
> 2004/04/23 02:35:12| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:35:33| Request header is too large (11680 bytes)
> 2004/04/23 02:35:33| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:39:42| Request header is too large (10494 bytes)
> 2004/04/23 02:39:42| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:40:05| Request header is too large (12287 bytes)
> 2004/04/23 02:40:05| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:50:19| Request header is too large (10494 bytes)
> 2004/04/23 02:50:19| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:50:38| Request header is too large (12287 bytes)
> 2004/04/23 02:50:38| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:52:33| Request header is too large (10494 bytes)
> 2004/04/23 02:52:33| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 02:53:09| Request header is too large (10495 bytes)
> 2004/04/23 02:53:09| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 03:19:07| Request header is too large (10494 bytes)
> 2004/04/23 03:19:07| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 03:19:19| Request header is too large (10495 bytes)
> 2004/04/23 03:19:19| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 03:24:47| Request header is too large (11680 bytes)
> 2004/04/23 03:24:47| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 03:27:30| Request header is too large (11680 bytes)
> 2004/04/23 03:27:30| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 03:30:41| Request header is too large (11680 bytes)
> 2004/04/23 03:30:41| Config 'request_header_max_size'= 10240 bytes.
> 2004/04/23 03:32:27| Request header is too large (10494 bytes)
> 2004/04/23 03:32:27| Config 'request_header_max_size'= 10240 bytes.
>
> I believe this is some kind of Dos Attack from some virus on
> client's systems
> because when this happens, MRTG shows increase in HTTP all
> service time and
> HTTP miss service time (I am also attaching MRTG graphs for
> your view) and
> all the clients start complaining. Can any one shed more
> light on this
> problem? Like which virus is responsible for this and what
> can be done in
> squid config to avoid this except to block/disconnect the
> infected client.
>
> �
>
 
  Check SQUID's access log to further identify these requests.
  If they turn out to be malicious , then block using ACL mechanisms (e.d.)

  M.
Received on Fri Apr 23 2004 - 02:13:51 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:02 MDT