Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 9777 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web-Filtering high CPU

TimBoggs

I have a filter that blocks web-ads and up until last week I never saw an issue. For four hour period the CPU was maxed at 100%. The good news was that nobody complained, I just happened to see it in the interface.

A single user was on a site called listverse.com which uses the sekindo.com ad network. Sekindo was blocked by policy, but it did not stop it from trying to access the site, to the tune of 1.1 million requests during the 4 hour period. I blocked listverse.com, but I have seen two CPU spikes since then that can be attributed to that site. The log shows it's blocked along with sekindo, but it is still generation tons of requests. I am guessing that listverse.com is a referenced on other sites that somehow allow it code to get executed in the browser.

Does it even make sense to block web-ads at the firewall? How good is Sophos at catching malicious ad sites?



This thread was automatically locked due to age.
Parents
  • 0

    I'm guessing that the Web Filtering Profile is in Transparent mode.  Make a Host definition with a DNS Hostname of sekindo.com and assign an unused IP in the same subnet as the people trying to access sekindo.  Now, the traffic will never leave the client because the client's NIC will ARP for the unused IP and get no answer.  Does that work for you?

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Sorry I didn't provide more info. We run in standard mode since the Sophos is not currently the default gateway for the network. Also, I am not following your best practice for DNS, so all DNS is resolved through our AD DNS servers which resolve directly from Google and OpenDNS. I had thought of creating an entry to sekindo that pointed to 127.0.0.1 like the MVPS Hosts File.

    DNS is problematic because we have three sites and quite a few subnets, multiple domains and three UTM clusters. Keeping them all up to date is a rather tedious chore without the ability to centrally manage. Really wish that SUM could manage everything configurable on a UTM.

  • 0 in reply to TimBoggs

    Why not add a proxy-skip to the GPO (Configuring HTTP/S proxy access with AD SSO) and then just block traffic to sekindo.com at the firewall?  There's probably a way to force the users' Windows firewalls to block the traffic, but my Windows-fu is not that strong.

    Let us know what you decide to do and your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    We configure the proxy via DHCP and DNS. Statically setting the proxy via GPO can cause a less optimal experience for highly mobile users when travelling outside the network. Since we also leverage a proxy.pac file on each Sophos device I added the following to the file:

     

    if (shExpMatch(host, "*.listverse.*") ||
    shExpMatch(host, "*.sekindo.*"))
    return "PROXY localhost";

    This seems to produce the desired effect and keeps the client from slamming the proxy with requests. I don't believe the localhost keyword is actually be used as localhost, it just give the client a proxy to look for that doesn't exist.

    I will have to give it a couple of days to see how it goes.

Reply
  • 0 in reply to BAlfson

    We configure the proxy via DHCP and DNS. Statically setting the proxy via GPO can cause a less optimal experience for highly mobile users when travelling outside the network. Since we also leverage a proxy.pac file on each Sophos device I added the following to the file:

     

    if (shExpMatch(host, "*.listverse.*") ||
    shExpMatch(host, "*.sekindo.*"))
    return "PROXY localhost";

    This seems to produce the desired effect and keeps the client from slamming the proxy with requests. I don't believe the localhost keyword is actually be used as localhost, it just give the client a proxy to look for that doesn't exist.

    I will have to give it a couple of days to see how it goes.

Children
Unfiltered HTML