Re: [squid-users] New exploit? Two squid proxies simultaneously spike to 99 percent CPU utilization.

From: Ralf Hildebrandt <[email protected]>
Date: Mon, 11 Oct 2004 23:03:04 +0200

* Spam <spam@corn-bread.org>:

> I use Big Sister to monitor my networks. Earlier today, I began
> getting CPU utilization messages on two of my proxies. Each proxy
> was reporting 99 percent utilization, caused by the squid process.
> These = proxies are located at completely different businesses
> located on opposite ends = of town, and they have no affiliation with
> each other.

Same here this morning. It started at about 12:00 CEST, and lasted for
1-2h. All our proxies were affected and we didn't see any sign of
runaway clients hammering away at hundreds of connection per second.

The load just spiked.

> Then I looked at my big sister trend logs and really freaked out.
> They = both started spiking at almost EXACTLY the same time and in
> EXACTLY the same = pattern. To see what I mean, check out the
> patterns:

Same here.
 
> http://www.corn-bread.org/admintest.bmp
> http://www.corn-bread.org/rudolph.bmp
>
> Note that the times, severity of the spike, etc are roughly the same.
>
>
> Both systems are redhat 9 running squid rpms (squid-2.5.STABLE1-3.9).

We're running Debian/testing on kernel 2.6.8 SMP

-- 
Ralf Hildebrandt (i.A. des IT-Zentrum)          Ralf.Hildebrandt@charite.de
Charite - Universit�tsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-8445-4447
IT-Zentrum Standort CBF                                   AIM.  ralfpostfix
Received on Mon Oct 11 2004 - 15:03:10 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:01 MST