2

On our network at work we have a squid proxy between us and the internet. It's main function is to cache windows updates. However, at times, there are overwhelming amounts of traffic coming in on our squid proxy's external interface, but it isn't being read by any of the client machines. This traffic always originates from llnw.com or msecn.net. It lasts for varying amounts of time, and uses up nearly all of our bandwidth. Netstat -p confirms that squid is the program with the connection open.

What is causing this?

Matthew
  • 193
  • 1
  • 2
  • 12

3 Answers3

4

I was setting the "range_offset_limit" in squid.conf to -1 so that if any part of a windows update was requested, the whole file would be downloaded. Amos Jeffries from the squid-users mailing list tipped me off that this could could backfire if a client requested only a small piece of a large file (like a video) hosted from one of these CDN's; squid would be forced to download the whole file, even if the client stopped listening.

Removing this setting fixes the problem. Thanks to audiophilth and James Sneeringer for getting me on the right track.

Matthew
  • 193
  • 1
  • 2
  • 12
1

llnw.net is just a CDN source, not sure what you mean by "bogus" connections.

user20849
  • 88
  • 3
1

It isn't blocking the connections because your caching proxy is initiating them, and you have no OUTPUT rules, and the default OUTPUT policy is ACCEPT. I would guess that just about all of your outbound traffic on port 80 behaves the same way. Notice how in your output, your proxy also has direct connections to google.com and acast.com?

Also, llnw.net and msecn.net are not bogus. MSECN is Microsoft Edge Caching Network, and LLNW is Limelight Networks, both of which are content delivery networks similar to Akamai. I would guess you're seeing those because your users are hitting sites that subscribe to their services. You generally don't want to block them, otherwise you're going to break a lot of high-profile sites, if not make them completely inaccessible to your users.

James Sneeringer
  • 6,835
  • 24
  • 27
  • What threw up red flags to me is that the traffic was hitting my wan address, but wasn't getting transferred to a local address. eth0 was getting around 180 KB/s, while eth1 was getting 2-4 KB/s (there isn't much going on now, and we only have 10 or so pc's). Is that normal? I did see, however, that netstat -p told me that squid was the one opening the connection. – Matthew Sep 21 '09 at 21:37
  • I physically unplugged the cable going from my proxy to my router, and the Rx on my eth0 was still 180 KB/s. What does that mean? – Matthew Sep 21 '09 at 21:42
  • Nix that last. It does drop off...if you wait a a minute. Sorry, I guess I'm just being paranoid. – Matthew Sep 21 '09 at 21:50
  • 1
    I think the most likely reason is that something running locally on the server is responsible, such as an "apt-get update" or "emerge --sync" or similar cron job, or maybe freshclam updating virus definitions (if you use that). It's also possible that squid is configured to prefetch multipart content, so it's basically requesting content related to a user request before the user actually requests it. I don't know if this is how squid works, but another possibility is that a large file is being downloaded that squid does not stream immediately to the client. – James Sneeringer Sep 22 '09 at 04:09