SquidGuard Mystery Bandwidth Hog
Starting in August on some boxes Squidguard creates multiple connections to 184.108.40.206, 220.127.116.11 and 18.104.22.168 then consumes almost all available bandwidth (16Mb/s!) - output of:
sockstat | grep 128.242.186
proxy squid 55204 28 tcp4 x.x.x.x:30105 22.214.171.124:80
proxy squid 55204 51 tcp4 x.x.x.x:43046 126.96.36.199:80
proxy squid 55204 54 tcp4 x.x.x.x:11147 188.8.131.52:80
proxy squid 55204 57 tcp4 x.x.x.x:25116 184.108.40.206:80
proxy squid 55204 63 tcp4 x.x.x.x:15130 220.127.116.11:80
proxy squid 55204 64 tcp4 x.x.x.x:30153 18.104.22.168:80
proxy squid 55204 73 tcp4 x.x.x.x:14614 22.214.171.124:80
proxy squid 55204 74 tcp4 x.x.x.x:26358 126.96.36.199:80
proxy squid 55204 80 tcp4 x.x.x.x:22563 188.8.131.52:80
proxy squid 55204 81 tcp4 x.x.x.x:30064 184.108.40.206:80
proxy squid 55204 82 tcp4 x.x.x.x:9633 220.127.116.11:80
proxy squid 55204 86 tcp4 x.x.x.x:30052 18.104.22.168:80
proxy squid 55204 87 tcp4 x.x.x.x:30054 22.214.171.124:80
proxy squid 55204 108 tcp4 x.x.x.x:30147 126.96.36.199:80
proxy squid 55204 110 tcp4 x.x.x.x:30086 188.8.131.52:80
proxy squid 55204 116 tcp4 x.x.x.x:30091 184.108.40.206:80
proxy squid 55204 120 tcp4 x.x.x.x:30144 220.127.116.11:80
proxy squid 55204 123 tcp4 x.x.x.x:30095 18.104.22.168:80
proxy squid 55204 124 tcp4 x.x.x.x:30096 22.214.171.124:80
proxy squid 55204 125 tcp4 x.x.x.x:30097 126.96.36.199:80
proxy squid 55204 126 tcp4 x.x.x.x:30098 188.8.131.52:80
proxy squid 55204 133 tcp4 x.x.x.x:30104 184.108.40.206:80
proxy squid 55204 140 tcp4 x.x.x.x:30122 220.127.116.11:80
proxy squid 55204 142 tcp4 x.x.x.x:30124 18.104.22.168:80
proxy squid 55204 157 tcp4 x.x.x.x:30168 22.214.171.124:80
Removing or disabling the Squidguard package stops this behavior. Has anyone else seen this?
What I've tried:
I have added 126.96.36.199/24 to the pfBlocker add-on with no visible results.
I have disabled all of my Squid options which cache updates and such.
I have removed and reinstalled the Squidguard package. Reinstalling then running sockstat | grep 128.242.186 yields:
proxy squid 52546 30 tcp4 x.x.x.x:6881 188.8.131.52:80
proxy squid 52546 33 tcp4 x.x.x.x:43563 184.108.40.206:80
proxy squid 52546 36 tcp4 x.x.x.x:40502 220.127.116.11:80
proxy squid 52546 40 tcp4 x.x.x.x:18177 18.104.22.168:80
which is more manageable, but over time it ratchets up to once again consume all of my bandwidth.
marcelloc last edited by
you need to check in squid log files who is doing this.(lightsquid)
maybe some machine with virus.
Lightsquid shows no hits on the IP's in question. Looking at the states there is no corresponding internal request. If it were internal wouldn't a firewall rule block it? I've done reverse DNS and all manner of investigation of the IP's which my pfSense is connecting to and get nothing. Remember, the connections don't happen if SquidGuard is uninstalled even though Squid remains. Further testing shows that the busier my Squid the more connect s to the IP's in question occur. Could it be P2P traffic? Could it be that SquidGuard is phoning home?
marcelloc last edited by
if there is any virus/p2p on your network, it will stop trying if squid/squidguard fails on connect but will try again latter
monitor if it happens again with squidguard off.
when happening sockstat will show a lot of connections from internal ip to squid too.
It does not occur if Squidguard is not installed. Reinstalled this evening and immediately two connections to the aforementioned ip appeared. It is limiting itself to four connections now with minimal usage - however, the number of connections to a 22.214.171.124/24 address seems to vary based upon the number of connections clients are holding to the rest of the Internet. If I fire up a video service such as Hulu or Netflix the number of connections increases. I am going to install ntop and see if I can find anything.
JackL last edited by
I saw debug console across multiple customers and not noticed any strange request to Squid/SquidGuard in recent days.
Can it really be virus/p2p on your network .. … In this case, ntop should help you figure out what is happening. Any news, please be sure to post here.
Indeed it turned out to be p2p, had to rummage through the computers on my network to find it as it didn't show up in the state tables or sockstat as a local connection - sneaky stuff, those p2p networks!