This is an informational post for others to pickup once Google indexes it and will serve as place for me to vent... Autodesk releases crap... I've said it... Their AutoCad suite is bloated beyond recognition and it is more of a PITA to install every year. But how does this apply to Internet Related/Filtering/Firewall do you ask? Well, our students go through an internal Squid proxy for traffic logging before hitting the outside content filters. This proxy uses NTLM and by now enterprise level software should know what the hell this is. I come into work this morning to find the student proxy not passing traffic anymore and upon further inspection the volume I have setup to hold logs (30GB mind you) is freaking full. After purging some older logs and getting it working again I began to investigate.
This lists all current IP connections to every interface and there was 40,000 of them for a district with 1/10th the amount of students. And only a third of the student body is computers at any given time. So I dumped the entire output to a file in the home directory.
Once I fetched and opened it in Excel I was able to sort it out. I was finding machines with thousands of idle connections, all coming from the CAD lab.
netstat -nat > ~/connections.txt
Now I could parse the Squid access log; which was already bloated out to 2GB by mid morning (this typically doesn't exceed 300MB for an entire day).
tcp6 0 0 10.1.xxx.xxx:3128 10.1.xxx.xxx:63325 TIME_WAIT
Upon opening this 230MB txt file up in Excel and sorting by outgoing connection I find 2,000 GETS to here:
less /var/log/squid3/access.log | grep 10.1.xxx.xxx > ~/moreconnections.txt
Whatever AutoDesk app is running it's trying to get out to the web, getting hit with a challenge response for credentials, ignoring the challenge, and requesting the resource over, and over, and over again; thus filling the logs to oblivion with junk.
10.1.xxx.xxx TCP_DENIED/407 5100 GET http://autodesk-exchange-apps-v-1-5-staging.s3.amazonaws.com/data/content/fil
I'm going to try white listing the domain so connections to it don't have to provide credentials and see if that will calm it down. I'm so sick of this....