SquidGuard Mystery Bandwidth Hog

  • Starting in August on some boxes Squidguard creates multiple connections to, and then consumes almost all available bandwidth (16Mb/s!) - output of:

    sockstat | grep 128.242.186


    proxy    squid      55204 28 tcp4   x.x.x.x:30105
    proxy    squid      55204 51 tcp4   x.x.x.x:43046
    proxy    squid      55204 54 tcp4   x.x.x.x:11147
    proxy    squid      55204 57 tcp4   x.x.x.x:25116
    proxy    squid      55204 63 tcp4   x.x.x.x:15130
    proxy    squid      55204 64 tcp4   x.x.x.x:30153
    proxy    squid      55204 73 tcp4   x.x.x.x:14614
    proxy    squid      55204 74 tcp4   x.x.x.x:26358
    proxy    squid      55204 80 tcp4   x.x.x.x:22563
    proxy    squid      55204 81 tcp4   x.x.x.x:30064
    proxy    squid      55204 82 tcp4   x.x.x.x:9633
    proxy    squid      55204 86 tcp4   x.x.x.x:30052
    proxy    squid      55204 87 tcp4   x.x.x.x:30054
    proxy    squid      55204 108 tcp4  x.x.x.x:30147
    proxy    squid      55204 110 tcp4  x.x.x.x:30086
    proxy    squid      55204 116 tcp4  x.x.x.x:30091
    proxy    squid      55204 120 tcp4  x.x.x.x:30144
    proxy    squid      55204 123 tcp4  x.x.x.x:30095
    proxy    squid      55204 124 tcp4  x.x.x.x:30096
    proxy    squid      55204 125 tcp4  x.x.x.x:30097
    proxy    squid      55204 126 tcp4  x.x.x.x:30098
    proxy    squid      55204 133 tcp4  x.x.x.x:30104
    proxy    squid      55204 140 tcp4  x.x.x.x:30122
    proxy    squid      55204 142 tcp4  x.x.x.x:30124
    proxy    squid      55204 157 tcp4  x.x.x.x:30168

    Removing or disabling the Squidguard package stops this behavior.  Has anyone else seen this?

    What I've tried:

    I have added to the pfBlocker add-on with no visible results.
    I have disabled all of my Squid options which cache updates and such.
    I have removed and reinstalled the Squidguard package.  Reinstalling then running sockstat | grep 128.242.186 yields:

    proxy    squid      52546 30 tcp4   x.x.x.x:6881
    proxy    squid      52546 33 tcp4   x.x.x.x:43563
    proxy    squid      52546 36 tcp4   x.x.x.x:40502
    proxy    squid      52546 40 tcp4   x.x.x.x:18177

    which is more manageable, but over time it ratchets up to once again consume all of my bandwidth.

  • you need to check in squid log files who is doing this.(lightsquid)

    maybe some machine with virus.

  • Lightsquid shows no hits on the IP's in question.  Looking at the states there is no corresponding internal request.  If it were internal wouldn't a firewall rule block it?  I've done reverse DNS and all manner of investigation of the IP's which my pfSense is connecting to and get nothing.  Remember, the connections don't happen if SquidGuard is uninstalled even though Squid remains.  Further testing shows that the busier my Squid the more connect s to the IP's in question occur.  Could it be P2P traffic?  Could it be that SquidGuard is phoning home?

  • if there is any virus/p2p on your network, it will stop trying if squid/squidguard fails on connect but will try again latter

    monitor if it happens again with squidguard off.

    when happening sockstat will show a lot of connections from internal ip to squid too.

  • It does not occur if Squidguard is not installed.  Reinstalled this evening and immediately two connections to the aforementioned ip appeared.  It is limiting itself to four connections now with minimal usage - however, the number of connections to a address seems to vary based upon the number of connections clients are holding to the rest of the Internet.  If I fire up a video service such as Hulu or Netflix the number of connections increases.  I am going to install ntop  and see if I can find anything.

  • darnitol,

    I saw debug console across multiple customers and not noticed any strange request to Squid/SquidGuard in recent days.

    Can it really be virus/p2p on your network .. … In this case, ntop should help you figure out what is happening. Any news, please be sure to post here.


  • Indeed it turned out to be p2p, had to rummage through the computers on my network to find it as it didn't show up in the state tables or sockstat as a local connection - sneaky stuff, those p2p networks!