My Squid (3.1.20 on Ubuntu 13.04) is under DDoS attack (with about 1000 different IPs).
I'm using Basic Authentication on it and all of those requests are getting DENIED response but still they increase server's load.
How can I defense against DDoS attack on Squid?
Asked
Active
Viewed 3,967 times
2 Answers
4
How about using fail2ban with a squid filter?
There is a configuration example here:
# Fail2Ban configuration file for squid
#
# Author: Jackie Craig Sparks
#
# $Revision: 728 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = squid
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \d{0,10}.*\d{0,3}\ .* \ \d <HOST> TCP_DENIED\/407 .*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
pauska
- 19,766
2
If you're able to put configure Squid to bind only to localhost and access it from an SSH tunnel (or through a VPN, if that's an option) you'll change your attack surface to something that should have less performance impact. I'd use iptables to rate-limit incoming SSH connections access it over SSH (which is exactly what I do with my own Squid cache, actually).
Evan Anderson
- 142,957