Re: [squid-users] New exploit? Two squid proxies simultaneously spike to 99 percent CPU utilization.

From: Spam <[email protected]>
Date: Tue, 12 Oct 2004 03:09:50 -0700

Doubtful.

I was using IPtraf to watch for that kind of thing, and nothing
appeared out of the ordinary.

In fact, if it had indeed been this, then it could have been traced
through the logs as x-mime/messenger requests are logged.

The other strange thing I noticed about this is that the network
utilization didn't really go up.

Very odd.

----- Original Message -----
From: "Hwee Khoon, Neo" <hweekhoon.neo@pacific.net.sg>
To: "Elsen Marc" <elsen@imec.be>; <squid-users@squid-cache.org>
Sent: Monday, October 11, 2004 11:13 PM
Subject: RE: [squid-users] New exploit? Two squid proxies simultaneously
spike to 99 percent CPU utilization.

> MSN messenger was down during that period, do u observed an increased in
SYN
> packet count?
>
> -----Original Message-----
> From: Elsen Marc [mailto:elsen@imec.be]
> Sent: Tuesday, October 12, 2004 1:43 PM
> To: Spam; squid-users@squid-cache.org
> Subject: RE: [squid-users] New exploit? Two squid proxies simultaneously
> spike to 99 percent CPU utilization.
>
>
>
>
> > This is freaky.
> >
> > I use Big Sister to monitor my networks. Earlier today, I began
> > getting CPU utilization messages on two of my proxies. Each proxy was
> > reporting 99 percent utilization, caused by the squid process. These =
> > proxies
> > are located at completely different businesses located on
> > opposite ends =
> > of
> > town, and they have no affiliation with each other.
> >
> > I investigated for a few hours and I couldn't find a reason. The
> > access logs weren't excessive and there didn't seem to be a lot of =
> > traffic
> > through the proxies.
> >
> > Then I looked at my big sister trend logs and really freaked
> > out. They =
> > both
> > started spiking at almost EXACTLY the same time and in
> > EXACTLY the same =
> > pattern.
> > To see what I mean, check out the patterns:
> >
> > http://www.corn-bread.org/admintest.bmp
> > http://www.corn-bread.org/rudolph.bmp
> >
> > Note that the times, severity of the spike, etc are roughly the same.
> >
> >
> > Both systems are redhat 9 running squid rpms (squid-2.5.STABLE1-3.9).
> >
> > I can post my squid.confs if needed.
> >
> > Any known issues right now?
>
> I got it too.
>
> Quite remarkable; perhaps it is not an exploit but due to a chunk
> of the Internet becoming available , making SQUID check on
> hanging connections. I don't know.
>
> Some insights may perhaps come from , when it happens again :
>
> % squid -k debug ; sleep 2; squid -k debug
>
> Check cache.log afterwards.
>
> M.
>
Received on Tue Oct 12 2004 - 03:11:02 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST