Re: [squid-users] outgoing traffic high.....http??

Wed, 26 May 2004 12:21:34 -0700 

Port 4665 and similar sounds like e-mule/ed2k.

Check your acl's, probably you are allowing to CONNECT to those ports,
this should be limited to ssl-Ports only (squid default):

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

Uploading ed2k-Client would explain high outgoing traffic.

Regards, Hendrik.

Hement Gopal wrote: 
hi all

Outgoing traffic from my site has been extremely high for the last few months.
I installed ntop and found that http was the top talker ...but can't run

ntop for too long as I don't have enough memory on the server...as a result i am only getting brief snapshots of my network usage [:(]

I am also running webalizer and other squid log analyzing software and have found the top users connecting to odd sites via odd ports. here is

a sample of the reports
ACCESSED SITE CONNECT BYTES %BYTES IN-CACHE-OUT USED TIME MILISEC %TIME


date/time <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-download_microsoft_com.html>
download.microsoft.com <http://download.microsoft.com> 24 9.418.948 1.46% 100.00% 0.00% 00:01:52 112.847 0.00%
date/time <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-80_7_8_38_4660.html>
80.7.8.38:4660 <http://80.7.8.38:4660> 21 9.252.496 1.44% 0.00% 100.00% 03:24:38 12.278.775 0.10%
date/time <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-82_48_17_148_4663.html>
82.48.17.148:4663 <http://82.48.17.148:4663> 27 8.770.325 1.36% 0.00% 100.00% 01:22:00 4.920.548 0.04%
date/time <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-83_33_192_223_4665.html>
83.33.192.223:4665 <http://83.33.192.223:4665> 22 8.134.394 1.26% 0.00% 100.00% 01:20:31 4.831.163 0.04%
date/time <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-82_51_9_119_6246.html>
82.51.9.119:6246 <http://82.51.9.119:6246> 20 8.082.783 1.26% 0.00% 100.00% 00:50:17 3.017.871 0.03%
date/time <http://zeus.wits.ac.za/squid-reports/24May2004-25May2004/ttchem.clint-65_25_54_110_4665.html>
65.25.54.110:4665 <http://65.25.54.110:4665>




The above is from one of the top five proxy users in my network...but i see these types of repeated connections (to various sites) coming from many of my other clients.

I suspect that these weird outgoing connections could be causing my outgoing traffic graph to be high.

Can a squid guru out there tell me if i'm on the right track and if there is anything in squid.conf i can do to stop these automated
requests.

TIA.

Rgds,
Hement Gopal

Reply via email to