On our network at work we have a squid proxy between us and the internet. It's main function is to cache windows updates. However, at times, there are overwhelming amounts of traffic coming in on our squid proxy's external interface, but it isn't being read by any of the client machines. This traffic always originates from llnw.com or msecn.net. It lasts for varying amounts of time, and uses up nearly all of our bandwidth. Netstat -p confirms that squid is the program with the connection open.
What is causing this?
Best Answer
I was setting the "range_offset_limit" in squid.conf to -1 so that if any part of a windows update was requested, the whole file would be downloaded. Amos Jeffries from the squid-users mailing list tipped me off that this could could backfire if a client requested only a small piece of a large file (like a video) hosted from one of these CDN's; squid would be forced to download the whole file, even if the client stopped listening.
Removing this setting fixes the problem. Thanks to audiophilth and James Sneeringer for getting me on the right track.