From: Askar Ali Khan <askarali@gmail.com>
To: netfilter <netfilter@lists.netfilter.org>
Subject: too may error requests
Date: Sun, 1 Aug 2004 13:39:33 +0600 [thread overview]
Message-ID: <a0f69e50408010039494fe0d7@mail.gmail.com> (raw)
hi all,
we are small town base ISP for dialup users, from sometime we are
getting too many request like .... on our squid access.log
203.xx.xxx.62 | NONE/413 | 1653 | NONE
|error:request-too-large
its getting worse if we let the client connected for a while who
sending such request, after sometime (within a minutes) if we check
the client sending errors with
netstat -taun | grep IP | wc -l
500
500 is too many connection (and sometimes its somewhere in 700-800)
from a single client normally it would be 10 or 20 maximum.
And here is the tcpdum -n -t host IpOfClient-error-request-too-large
3.89.146.62.4563 > 203.89.149.112.http: S 4257159308:4257159308(0) win
8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4579 > 203.89.146.213.6129: S 4257825751:4257825751(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4572 > 203.89.146.213.2745: S 4257614747:4257614747(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4608 > 203.248.165.97.2745: S 4259124906:4259124906(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4612 > 203.248.165.97.3127: S 4259306850:4259306850(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4605 > 203.171.104.23.6129: S 4258977243:4258977243(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4592 > 203.89.210.235.1025: S 4258477049:4258477049(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4604 > 203.171.104.23.3127: S 4258938239:4258938239(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
203.89.146.62.4598 > 203.89.210.235.http: S 4258699747:4258699747(0)
win 8760 <mss 1460,nop,nop,sackOK> (DF)
It just a small snapshot :)
As we categories this sorta client with virsu infected and got
disconnect him forcefully :( not a good practice, however its
necessary to get rid of such shits and also sometime block the user
until he get cleaned his system.
1) Alright im not going to ask squid related things in this mailing
list, however I love to know if someone knows after watching tcpdump
output what sorta request he is sending and is he really infected with
some type of virues, spyware?
2) Is it possible to block his "error:request-too-large" requests with iptables?
Any help in this requed will be greatly appreciated as before :)
Regards
Askar Ali
next reply other threads:[~2004-08-01 7:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-01 7:39 Askar Ali Khan [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-08-01 13:24 too may error requests Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a0f69e50408010039494fe0d7@mail.gmail.com \
--to=askarali@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox