SquidGuard Mystery Bandwidth Hog
-
Starting in August on some boxes Squidguard creates multiple connections to 128.242.186.240, 128.242.186.239 and 128.242.186.198 then consumes almost all available bandwidth (16Mb/s!) - output of:
sockstat | grep 128.242.186
yields:
proxy squid 55204 28 tcp4 x.x.x.x:30105 128.242.186.239:80
proxy squid 55204 51 tcp4 x.x.x.x:43046 128.242.186.209:80
proxy squid 55204 54 tcp4 x.x.x.x:11147 128.242.186.209:80
proxy squid 55204 57 tcp4 x.x.x.x:25116 128.242.186.209:80
proxy squid 55204 63 tcp4 x.x.x.x:15130 128.242.186.248:80
proxy squid 55204 64 tcp4 x.x.x.x:30153 128.242.186.198:80
proxy squid 55204 73 tcp4 x.x.x.x:14614 128.242.186.238:80
proxy squid 55204 74 tcp4 x.x.x.x:26358 128.242.186.209:80
proxy squid 55204 80 tcp4 x.x.x.x:22563 128.242.186.238:80
proxy squid 55204 81 tcp4 x.x.x.x:30064 128.242.186.239:80
proxy squid 55204 82 tcp4 x.x.x.x:9633 128.242.186.238:80
proxy squid 55204 86 tcp4 x.x.x.x:30052 128.242.186.240:80
proxy squid 55204 87 tcp4 x.x.x.x:30054 128.242.186.238:80
proxy squid 55204 108 tcp4 x.x.x.x:30147 128.242.186.241:80
proxy squid 55204 110 tcp4 x.x.x.x:30086 128.242.186.240:80
proxy squid 55204 116 tcp4 x.x.x.x:30091 128.242.186.239:80
proxy squid 55204 120 tcp4 x.x.x.x:30144 128.242.186.209:80
proxy squid 55204 123 tcp4 x.x.x.x:30095 128.242.186.240:80
proxy squid 55204 124 tcp4 x.x.x.x:30096 128.242.186.240:80
proxy squid 55204 125 tcp4 x.x.x.x:30097 128.242.186.240:80
proxy squid 55204 126 tcp4 x.x.x.x:30098 128.242.186.240:80
proxy squid 55204 133 tcp4 x.x.x.x:30104 128.242.186.198:80
proxy squid 55204 140 tcp4 x.x.x.x:30122 128.242.186.209:80
proxy squid 55204 142 tcp4 x.x.x.x:30124 128.242.186.231:80
proxy squid 55204 157 tcp4 x.x.x.x:30168 128.242.186.239:80Removing or disabling the Squidguard package stops this behavior. Has anyone else seen this?
What I've tried:
I have added 128.242.186.0/24 to the pfBlocker add-on with no visible results.
I have disabled all of my Squid options which cache updates and such.
I have removed and reinstalled the Squidguard package. Reinstalling then running sockstat | grep 128.242.186 yields:proxy squid 52546 30 tcp4 x.x.x.x:6881 128.242.186.198:80
proxy squid 52546 33 tcp4 x.x.x.x:43563 128.242.186.198:80
proxy squid 52546 36 tcp4 x.x.x.x:40502 128.242.186.198:80
proxy squid 52546 40 tcp4 x.x.x.x:18177 128.242.186.231:80which is more manageable, but over time it ratchets up to once again consume all of my bandwidth.
-
you need to check in squid log files who is doing this.(lightsquid)
maybe some machine with virus.
-
Lightsquid shows no hits on the IP's in question. Looking at the states there is no corresponding internal request. If it were internal wouldn't a firewall rule block it? I've done reverse DNS and all manner of investigation of the IP's which my pfSense is connecting to and get nothing. Remember, the connections don't happen if SquidGuard is uninstalled even though Squid remains. Further testing shows that the busier my Squid the more connect s to the IP's in question occur. Could it be P2P traffic? Could it be that SquidGuard is phoning home?
-
if there is any virus/p2p on your network, it will stop trying if squid/squidguard fails on connect but will try again latter
monitor if it happens again with squidguard off.
when happening sockstat will show a lot of connections from internal ip to squid too.
-
It does not occur if Squidguard is not installed. Reinstalled this evening and immediately two connections to the aforementioned ip appeared. It is limiting itself to four connections now with minimal usage - however, the number of connections to a 128.242.186.0/24 address seems to vary based upon the number of connections clients are holding to the rest of the Internet. If I fire up a video service such as Hulu or Netflix the number of connections increases. I am going to install ntop and see if I can find anything.
-
darnitol,
I saw debug console across multiple customers and not noticed any strange request to Squid/SquidGuard in recent days.
Can it really be virus/p2p on your network .. … In this case, ntop should help you figure out what is happening. Any news, please be sure to post here.
[]`s
Jack -
Indeed it turned out to be p2p, had to rummage through the computers on my network to find it as it didn't show up in the state tables or sockstat as a local connection - sneaky stuff, those p2p networks!