I am using squid 2.5Stable7 in my Redhat linux 7.3. From few days I am getting these types of request in my squid log file.

NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:07 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:12 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:13 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:17 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:18 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:19 +0545] "POST http://192.168.119.128/_vti_bin/_vti_aut/fp30reg.dll HTTP/0.0" 501 1466 TCP_DENIED:NONE
- - [20/Feb/2005:16:46:21 +0545] "POST http://192.168.119.129/_vti_bin/_vti_aut/fp30reg.dll HTTP/0.0" 501 1466 TCP_DENIED:NONE
- - [20/Feb/2005:16:46:22 +0545] "POST http://192.168.119.130/_vti_bin/_vti_aut/fp30reg.dll HTTP/0.0" 501 1466 TCP_DENIED:NONE
- - [20/Feb/2005:16:46:23 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:24 +0545] "POST http://192.168.119.131/_vti_bin/_vti_aut/fp30reg.dll HTTP/0.0" 501 1466 TCP_DENIED:NONE
- - [20/Feb/2005:16:46:24 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
- - [20/Feb/2005:16:46:26 +0545] "NONE error:request-too-large HTTP/0.0" 413 1641 NONE:NONE
----------------------------------------------------------------
These types of request are consuming my upload bandwidth, It looks like client computer is infected by worm or virus which is trying to scan IIIS server. How can I block these request from passing my proxy server in firewall, so that my uplink bandwidth will be saved. Is there any way of blocking scan to remote port IIS vunerable ports from bypassing my proxy server.

Please help me. It's consuming much much of my upload traffic.

If the computer that you think is infected is on your network, pull it's patch cable and get it cleaned up. If it's out on the internet somewhere, why are you allowing public access of your proxy server?

Either way, your question is answered in the FAQ.

Well I can't do so because he is my client. I have infromed him many times regarding this problem. But I don't know why he isn't applying securiy patch for his computer.
Can't it be possible that I can stop or block the port of IIS server scanning in my linux server's firewall. so that the scanning to remote IIS server can be blocked from by passing my proxy server?

Well, no. IIS runs on 80 (http) just like every other webserver does, so if you block his computer from hitting port 80, he's not going to be able to surf the internet with his browser either.

I am not sure that this will improve your bandwidth but I came across a useful addition to httpd.conf which redirects all these to microsoft and therefore uses up their bandwidth;

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com/
</IfModule>

If the OP were using Apache instead of squid it might

Ok guys here is the dump file of the infected pc.

------------------------------------------------------------------------------------------

11:55:48.809302 XXX.XXX.XXX.XXX.3320 > 192.168.231.174.http: . 1732923377:1732924837(1460) ack 4187239755 win 8760 (DF)
0x0000 4500 05dc 460d 4000 7e06 08e3 ca4f 3585 E...F.@.~....O5.
0x0010 c0a8 e7ae 0cf8 0050 674a 4ff1 f994 354b .......PgJO...5K
0x0020 5010 2238 b01c 0000 9090 9090 9090 9090 P."8............
0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0040 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0050 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0060 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0070 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0080 9090 9090 9090 9090 9090 9090 9090 9090 ................
11:55:48.929178 XXX.XXX.XXXX.XXX.3320 > 192.168.231.174.http: . 1460:2920(1460) ack 1 win 8760 (DF)
0x0000 4500 05dc 460e 4000 7e06 08e2 ca4f 3585 E...F.@.~....O5.
0x0010 c0a8 e7ae 0cf8 0050 674a 55a5 f994 354b .......PgJU...5K
0x0020 5010 2238 aa68 0000 9090 9090 9090 9090 P."8.h..........
0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0040 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0050 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0060 9090 9090 9090 9090 9090 9090 9090 9090 ................
11:55:48.934254 xxx.xx.xxx.xx.3320 > 192.168.231.174.http: . 4380:5110(730) ack 1 win 8760 (DF)
0x0000 4500 0302 4610 4000 7e06 0bba ca4f 3585 E...F.@.~....O5.
0x0010 c0a8 e7ae 0cf8 0050 674a 610d f994 354b .......PgJa...5K
0x0020 5010 2238 bff8 0000 9090 9090 9090 9090 P."8............
0x0030 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0040 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0050 9090 9090 9090 9090 9090 9090 9090 9090 ................

--------------------------------------------------------------------

I have even blocked using squid ACL but it seems traffic is still passing from the squid cache server.. SO it's consuming my uplink bandwidth. Any ideas ..... for blocking that IIS scan from bypassing my server but still I wan client to browse net except that traffic.

Surely you have some kind of contract that says "you must ensure that your system must be properly maintained at all times and if at any time your system disrupts our network services then we have the right to terminate the service." This is standard with many isp's. If not maybe you should investigate this angle or perhaps to even volunteer to clean this box at no charge.

Any bash scripts so that it will automatically execute at 5 mins interval from cron and listen in squid's access.log file for such request and if found it will execute command like routing the infected pc's ip to localhost or reject ;

/sbin/route add -host 192.168.0.2 reject

The mod_secutiry will block the most of these attacks. (Give them a 406 error, and prevent the execution of abritrage code b.v: mod_security: Access denied with code 406. Pattern match "!^$" at HEADER)

Disable the atd service. It can be abused. (And check cron, but cron seems to be safe. Mush be something with the user rights)

Enable the clamav service. This will block the unoticed sending of spam. Scan for visusses. Clamav will find them if they are present.

Disable all services wich you do not use (A lot of services like webmin, nfs, netdump, portmap are active when they are not needed. Disabling them will prevent that the services will be abused. You can simple activate them when you need them.) This will prevent the eating of your bandwidth.

Be sure you logfiles are working. (To get a specific log working again, you have to specify a new location in the config file of the specific application.)

Oh yeah, and redirect to something like http://www.trash.bin (This will prevent there is eaten any bandwith at any webserver. Since the www.trash.bin adres does not exist. So redirect bad things to nothing, not to somebody else.)
Be aware of bots wich index a lot of unessary files. Since the bots have no reasen to do this, something else causes this.

Marcel