RE: [squid-users] dos attack - How to handle

Hi

I am able to set maximum connection as 2 in squid. And squid gives me
error "Access Denied" also when I send multiple request to squid.
My questions are

1. Is squid checking how many concurrent http get request it is getting
and based on that it will allow and reject.
2. If one pc try to send more http request squid will give error message
" Access denied" . Will squid not open FD in this case? Will I be able
to control DOS attack using this feature?

3. If I put a /24 subnet address and allow 5 connections. Does it mean
any single IP address which belong to that subnet can send 5 concurrent
http get requests. So whole subnet should be able to send 254 * 5
concurrent get request.

Cordially,
Lokesh

-----Original Message-----
From: lokesh.khanna@accelonafrica.com
[mailto:lokesh.khanna@accelonafrica.com]
Sent: Wednesday, August 10, 2005 10:14 AM
To: ecasbas@unav.es
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] dos attack - How to handle

Hi

There is no error in Cache.log. I don't get any file descriptor message
in cache.log

My configuration was
acl losers src 192.168.1.0/24
acl 2CONN maxconn 5
http_access deny 2CONN losers

My laptop ip address was 192.168.1.2

Thanks- Lokesh

-----Original Message-----
From: Emilio Casbas [mailto:ecasbas@unav.es]
Sent: Wednesday, August 10, 2005 10:06 AM
To: Lokesh Khanna
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] dos attack - How to handle

lokesh.khanna@accelonafrica.com wrote:

>Hi
>
>I am running squid 2-5-10 on red hat 2.4.21-4.ELsmp with 1 Gb memory.
>Before compiling squid I set ulimt value to 32000. I also set ulimit
>-HSn 32000 command in my squid startup script.
>I noticed if anybody launch dos attack on my network from internal
>network, squid stop responding to other internal users also.
>
What does cache.log say?

> What is the
>solution for this.
>
I think the best solution for these attacks will be at layer network.

> One user should not be able to use whole resources.
>Is there any way to control this?
>I read squid document for maxconn parameter. I set maxconn to 2 for
>testing purpose and I made more than 2 connections ( checked through
>netstat -tn ) from my browsers but squid was still replying me. What
>could be the reason of this?
>
>
Are you sure that acl is correct?

acl example maxconn 2
http_access deny example

it should be work.

Thanks
Emilio C.
Disclaimer
************************************************************************
****************************************************
The information contained in this e-mail, any attached files, and
response threads are confidential and
may be legally privileged. It is intended solely for the use of
individual(s) or entity to which it is addressed
and others authorised to receive it. If you are not the intended
recipient, kindly notify the sender by return
mail and delete this message and any attachment(s) immediately.
 
Save as expressly permitted by the author, any disclosure, copying,
distribution or taking action in reliance
on the contents of the information contained in this e-mail is strictly
prohibited and may be unlawful.
 
Unless otherwise clearly stated, and related to the official business of
Accelon Nigeria Limited, opinions,
conclusions, and views expressed in this message are solely personal to
the author.
 
Accelon Nigeria Limited accepts no liability whatsoever for any loss, be
it direct, indirect or consequential,
arising from information made available in this e-mail and actions
resulting there from.
 
For more information about Accelon Nigeria Limited, please see our
website at
http://www.accelonafrica.com
************************************************************************
******************************************************
Disclaimer
****************************************************************************************************************************
The information contained in this e-mail, any attached files, and response threads are confidential and
may be legally privileged. It is intended solely for the use of individual(s) or entity to which it is addressed
and others authorised to receive it. If you are not the intended recipient, kindly notify the sender by return
mail and delete this message and any attachment(s) immediately.
 
Save as expressly permitted by the author, any disclosure, copying, distribution or taking action in reliance
on the contents of the information contained in this e-mail is strictly prohibited and may be unlawful.
 
Unless otherwise clearly stated, and related to the official business of Accelon Nigeria Limited, opinions,
conclusions, and views expressed in this message are solely personal to the author.
 
Accelon Nigeria Limited accepts no liability whatsoever for any loss, be it direct, indirect or consequential,
arising from information made available in this e-mail and actions resulting there from.
 
For more information about Accelon Nigeria Limited, please see our website at
http://www.accelonafrica.com
******************************************************************************************************************************
Received on Wed Aug 10 2005 - 07:01:49 MDT