Hi, I'm the admin of TUNA mirrors, a large mirror site in China. We are also experiencing such issues. Repeated requests for large iso images with strange pattern can be seen in our access log. By blocking several user-agents, most of such requests can be avoided. The block list on our server is: map $http_user_agent $isbadbrowser { default 0; "~*Mozilla/5\.0 \(Linux; Android\)" 1; "~*Chrome/49\.0\.2623\.87" 1; "~*Firefox/3.6.3" 1; } Cheers, Miao Wang
2020年07月02日 13:52,services via arch-mirrors <arch-mirrors@archlinux.org> 写道:
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ?
Regards, Eric.
On 7/2/2020 5:02 AM, mirror-admin wrote:
Hello, Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well. What we do is try to be nice, we throttling down our upload speed to their IP. Thx On 7/2/2020 09:49, Johannes Findeisen wrote:
Hello,
I am driving the mirror arch.unixpeople.org. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download directly started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes