Hello, I'm guessing that these logs are generated from bittorent clients that are connecting to Your mirror via the .torrent download. There is the .torrent file https://www.archlinux.org/download/ which as I see uses all mirrors to download the latest iso image. --- Artis Šteinbergs Eric Thirifays @ 22.10.2019 10:21 rakstīja:
Hello,
I have already founded this log on my reverse proxy with loggin administrator. On my case, it's linked to test to connect to a Windows Server TSE. I compare log time and connection time on my FW and user test add more information.
Many IP are banned with this log.
On my case, isn't a dos, just a brute force. Eric.
On Mon, 21 Oct 2019 at 16:12, Andreas Pfister <andi-pfister@gmx.ch> wrote:
Hi everyone, Today, my logfile (apache2) was full with thousands of thousands of requests like this:
85.14.109.184 - - [21/Oct/2019:14:57:33 +0200]
"\xad|\xf8*!\xc7\xf4%\xb4\x0e\x8aj\xc2\xa80\xc2k\xbbh\xdd\xfa\x06\xc3b\x0e\xd8L\x87\xd4\xbd\xd0\x02\x86\xfc\xc6\xe6\xd2\xc1\xad8\v0\r\xfb\xb83\x9d\xca^\xa8h\x97\x99\xad\x9a\xfd\xed\xe1\xd4\xbf^'\xfeg\xbe#\xf0\x9d\x80qM\xb2\xe3A\x8a$Z\x94\xc1*\xae\x11\xf4\x82\xe9\xd14wV\xef\x0ez\xe0\x83\xfe\x07\xab\x86d\xdfN\xb0N6\v\xa8\x1e{\xb0\xc1\xe9\xa3(\xd7E\xc7\xa2\x17\xce\xe5X\xdd@\xc3\x12\xc5\xa8f\x84\xa7\x0e\xe9\xe3:\"\xb89\xb3\xa4u0\x91\xe4\xac\xe2\xb4P\v\x8c\n"
400 0 "-" "-"
For this reason, my mirror was not reachable much time. Sorry.
For me looks like a dos attack, but i am not sure. Anyone see this anytime in his logfiles or have any further idea/information?
Now, i solved the problem by blocking 851 different ip's and i think now running stable.
Greetings
Andi Pfister