Freshclam load (was RE: [Mimedefang] Poll: Time to drop Trophie support?)

Chris Myers chris at by-design.net
Thu Apr 29 19:44:20 EDT 2004


----- Original Message ----- 
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Thursday, April 29, 2004 11:28 AM
Subject: Freshclam load (was RE: [Mimedefang] Poll: Time to drop Trophie
support?)


> On Thu, 29 Apr 2004, Paul Murphy wrote:
>
> > the basis that it will be able to spread to a lot more machines
> > before anyone picks up the warning and updates their signature
> > files.  Doing a freshclam check consumes so little bandwidth that it
> > is a no-brainer to use it.
>
> Freshclam actually uses an astounding amount of bandwidth if you aggregate
> it across all Freshclam users.  I don't have the statistics handy, but
> I remember reading that each clam mirror does over 100GB/month.
>
> I wonder if there's a very light way to announce updates?  Maybe a DNS
> record with a TTL of a few minutes that gets updated with the latest
> DB version string?  It might lower the load on the DB servers.
(Unfortunately,
> DNS is not secure.)

Actually, that would probably crush the servers instead since everyone would
pounce on the signature update seconds after it was released.  At least this
way it's spread over an hour or two.

100GB a month actually isn't that much bandwidth, it's only 17% of a T1 line
if the load were spread out over a month.  Obviously there are bursts rather
than a constant load, but folks with 10M/45M/155M connections are a lot more
common today -- and if they aren't an ISP, the odds are good that normal use
is inbound-traffic-heavy, so outbound traffic is virtually free and doesn't
affect operations.

Still, it's definitely good to run your own signature server if you have a
number of systems running ClamAV.  Much more polite!

Chris Myers
Networks By Design




More information about the MIMEDefang mailing list