Hello all,
I have recently installed SquidNT (2.5STABLE3) on a Win2000 server.
Everything works just fine, exepct a few days my main router interconnecting
branch offices started to go down in random pattern.
INTERNET---W2000+SQUID---SWICH---*LAN
|
--ROUTER1--FrameRelay--ROUTER2--*REMOTE-LAN
If someone from remote LAN starts to browser network Squid floods
ROUTER1 with a high volume TCP packets (10000 in 5 seconds) sized ~62 bytes.
Router is old Motorola Vanguard hardware router and from such spike its
TCP/IP stack is killed, only low-level protocols like ARP, LLC, ir UDP based
ones - DHCP, NetBIOS-NS, NT-BROWSER a able to pass ROUTER1 through in both
directions.
I am unable to find a reason why and exactly when Squid starts to flood,
but it happens a few times a day and router is dead until cold-reset. The
only thing I can do at this moment is to post TCP packet, which floods
router (ethereal capture).
So the main question is: why Squid starts to vomit packets at such
unusual rate?
Thanks for a prompt reply!
--------------------------------------------------------------------------
Aditional info:
Clients - W2000/XP, su IE 6.0 SP1, Squid proxy is the only gateway to
the internet, integrated NTLM autentification is on (SquidNT use it to
separate user to different delay-pools), clients are set to use HTTP 1.1
through proxy connections, some hosts (like ads.;banners. ir so on) - banned
from squid.
When I decoded TCP packet stream, which caused router failure, I found
out that it was just a 17 kB local news page (a few dozens pictures mayby).
Frame 24469 (60 bytes on wire, 60 bytes captured)
Arrival Time: Jun 19, 2003 21:54:16.627708000
Time delta from previous packet: 0.000119000 seconds
Time relative to first packet: 6690.059331000 seconds
Frame Number: 24469
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II, Src: 00:30:4f:05:c3:b4, Dst: 00:c0:ca:16:2c:69
Destination: 00:c0:ca:16:2c:69 (meistras.xxx.com)
Source: 00:30:4f:05:c3:b4 (192.168.0.2)
Type: IP (0x0800)
Trailer: 2020202020
Internet Protocol, Src Addr: terminalas.xxx.com (192.168.0.2), Dst Addr:
meistras.xxx.com (192.168.0.210)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 41
Identification: 0x3b82 (15234)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x3d28 (correct)
Source: terminalas.xxx.com (192.168.0.2)
Destination: meistras.xxx.com (192.168.0.210)
Transmission Control Protocol, Src Port: 60000 (60000), Dst Port: 1499 (1499), Seq:
2825473810, Ack: 3096049156, Len: 1
Source port: 60000 (60000)
Destination port: 1499 (1499)
Sequence number: 2825473810
Next sequence number: 2825473811
Acknowledgement number: 3096049156
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 63234
Checksum: 0x3b5d (correct)
Data (1 byte)
0000 65 e
