Re: [squid-users] How do I DOS-proof my cache

From: Amos Jeffries <[email protected]>
Date: Thu, 17 Apr 2008 14:39:52 +1200 (NZST)

> Hey Squid users :)
>
> We had a problem recently where a user with a misconfigured download
> accelerator was able to bring our proxy to its knees, downloading an
> 80MB driver about 100 times in parallel. We temporarily solved the
> problem by stopping the download accelerator, but this makes me aware
> of how vulnerable our proxy is to heavy DOS-type attacks.
>
> I've read a bit about the partial object caching expected in 3.1,
> range_offset, and half-closed clients. Can anybody share some ideas
> for making a squid cache more resilient to this kind of abuse / attack?
>

The 'maxconn' ACL is available in all squid to protect against this type
of client.

The collapsed forwarding feature of 2.x designed to cope with wider DDoS
still needs someone with time to port it into 3.x.
http://wiki.squid-cache.org/Features/CollapsedForwarding

Amos
Received on Tue Apr 22 2008 - 14:54:56 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT