SquidGuard Mystery Bandwidth Hog

darnitol

Starting in August on some boxes Squidguard creates multiple connections to 128.242.186.240, 128.242.186.239 and 128.242.186.198 then consumes almost all available bandwidth (16Mb/s!) - output of:

sockstat | grep 128.242.186

yields:

proxy    squid      55204 28 tcp4   x.x.x.x:30105  128.242.186.239:80
proxy    squid      55204 51 tcp4   x.x.x.x:43046  128.242.186.209:80
proxy    squid      55204 54 tcp4   x.x.x.x:11147  128.242.186.209:80
proxy    squid      55204 57 tcp4   x.x.x.x:25116  128.242.186.209:80
proxy    squid      55204 63 tcp4   x.x.x.x:15130  128.242.186.248:80
proxy    squid      55204 64 tcp4   x.x.x.x:30153  128.242.186.198:80
proxy    squid      55204 73 tcp4   x.x.x.x:14614  128.242.186.238:80
proxy    squid      55204 74 tcp4   x.x.x.x:26358  128.242.186.209:80
proxy    squid      55204 80 tcp4   x.x.x.x:22563  128.242.186.238:80
proxy    squid      55204 81 tcp4   x.x.x.x:30064  128.242.186.239:80
proxy    squid      55204 82 tcp4   x.x.x.x:9633   128.242.186.238:80
proxy    squid      55204 86 tcp4   x.x.x.x:30052  128.242.186.240:80
proxy    squid      55204 87 tcp4   x.x.x.x:30054  128.242.186.238:80
proxy    squid      55204 108 tcp4  x.x.x.x:30147  128.242.186.241:80
proxy    squid      55204 110 tcp4  x.x.x.x:30086  128.242.186.240:80
proxy    squid      55204 116 tcp4  x.x.x.x:30091  128.242.186.239:80
proxy    squid      55204 120 tcp4  x.x.x.x:30144  128.242.186.209:80
proxy    squid      55204 123 tcp4  x.x.x.x:30095  128.242.186.240:80
proxy    squid      55204 124 tcp4  x.x.x.x:30096  128.242.186.240:80
proxy    squid      55204 125 tcp4  x.x.x.x:30097  128.242.186.240:80
proxy    squid      55204 126 tcp4  x.x.x.x:30098  128.242.186.240:80
proxy    squid      55204 133 tcp4  x.x.x.x:30104  128.242.186.198:80
proxy    squid      55204 140 tcp4  x.x.x.x:30122  128.242.186.209:80
proxy    squid      55204 142 tcp4  x.x.x.x:30124  128.242.186.231:80
proxy    squid      55204 157 tcp4  x.x.x.x:30168  128.242.186.239:80

Removing or disabling the Squidguard package stops this behavior.  Has anyone else seen this?

What I've tried:

I have added 128.242.186.0/24 to the pfBlocker add-on with no visible results.
I have disabled all of my Squid options which cache updates and such.
I have removed and reinstalled the Squidguard package.  Reinstalling then running sockstat | grep 128.242.186 yields:

proxy    squid      52546 30 tcp4   x.x.x.x:6881   128.242.186.198:80
proxy    squid      52546 33 tcp4   x.x.x.x:43563  128.242.186.198:80
proxy    squid      52546 36 tcp4   x.x.x.x:40502  128.242.186.198:80
proxy    squid      52546 40 tcp4   x.x.x.x:18177  128.242.186.231:80

which is more manageable, but over time it ratchets up to once again consume all of my bandwidth.

marcelloc

you need to check in squid log files who is doing this.(lightsquid)

maybe some machine with virus.

darnitol

Lightsquid shows no hits on the IP's in question.  Looking at the states there is no corresponding internal request.  If it were internal wouldn't a firewall rule block it?  I've done reverse DNS and all manner of investigation of the IP's which my pfSense is connecting to and get nothing.  Remember, the connections don't happen if SquidGuard is uninstalled even though Squid remains.  Further testing shows that the busier my Squid the more connect s to the IP's in question occur.  Could it be P2P traffic?  Could it be that SquidGuard is phoning home?

marcelloc

if there is any virus/p2p on your network, it will stop trying if squid/squidguard fails on connect but will try again latter

monitor if it happens again with squidguard off.

when happening sockstat will show a lot of connections from internal ip to squid too.

darnitol

It does not occur if Squidguard is not installed.  Reinstalled this evening and immediately two connections to the aforementioned ip appeared.  It is limiting itself to four connections now with minimal usage - however, the number of connections to a 128.242.186.0/24 address seems to vary based upon the number of connections clients are holding to the rest of the Internet.  If I fire up a video service such as Hulu or Netflix the number of connections increases.  I am going to install ntop  and see if I can find anything.

JackL

darnitol,

I saw debug console across multiple customers and not noticed any strange request to Squid/SquidGuard in recent days.

Can it really be virus/p2p on your network .. … In this case, ntop should help you figure out what is happening. Any news, please be sure to post here.

[]`s
Jack

darnitol

Indeed it turned out to be p2p, had to rummage through the computers on my network to find it as it didn't show up in the state tables or sockstat as a local connection - sneaky stuff, those p2p networks!