Probably you have some client bombarding Squid with requests for the
same domain. access.log should show TCP_MISS/503 if the client cared
to wait for the error, or TCP_MISS/000 if the client aborted before
Squid seeing the error.
The timestamp in access.log should be the time the request was aborted
I think, but if you have this many of them it should not be too hard
to find in any case..
Regards
Henrik
On Wednesday 12 June 2002 07:52, Wei Keong wrote:
> Hi Henrik,
>
> Need you help again... is idnsCheckQueue related.
>
> The box was running fine, except there was a surge in response
> time. Cache log shows that there are a lot of (241 times)
> idnsChechQueue messages at 14:59:53.
>
> 2002/06/11 14:59:53| idnsCheckQueue: ID 35a2: giving up after 3
> tries and 42.3 seconds
> 2002/06/11 14:59:53| idnsCheckQueue: ID 35a3: giving up after 3
> tries and 42.3 seconds
> 2002/06/11 14:59:53| idnsCheckQueue: ID 3671: giving up after 3
> tries and 37.1 seconds
> 2002/06/11 14:59:53| idnsCheckQueue: ID 3672: giving up after 3
> tries and 37.1 seconds
>
> Understand that it's normal to have idnsCheckQueue in cache log, as
> some domain requests are not valid. However, i think it's unusual
> to see so many in a second... Could it be due to the following?
>
> 1. Dos attack.
> - Besides going through access log, is there anyway to use the ID
> to find the actual domain name?
> - Will the requests be reflected at 14:59:53 or 14:59:11 (minues
> lookup time)?
> - In cases where the requested domain name is not found, what will
> be the message in access log? TCP_MISS/404 ?
>
> 2. Dns failure.
> - But, the box is pointing to 2 dns, which quite unlikely to fail
> at the same time
>
> Please advise. Thanks.
>
> Rgds,
> Wei Keong
Received on Sat Jun 15 2002 - 17:58:10 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:42 MST