[arch-mirrors] Huge traffic from China
Hello,
I am driving the mirror arch.unixpeople.org. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download directly started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes
Hello,
Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well.
What we do is try to be nice, we throttling down our upload speed to their IP.
Thx
On 7/2/2020 09:49, Johannes Findeisen wrote:
Hello,
I am driving the mirror arch.unixpeople.org. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download directly started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ?
Regards, Eric.
On 7/2/2020 5:02 AM, mirror-admin wrote:
Hello,
Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well.
What we do is try to be nice, we throttling down our upload speed to their IP.
Thx
On 7/2/2020 09:49, Johannes Findeisen wrote:
Hello,
I am driving the mirror arch.unixpeople.org. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download directly started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes
Hi,
I'm the admin of TUNA mirrors, a large mirror site in China. We are also experiencing such issues. Repeated requests for large iso images with strange pattern can be seen in our access log. By blocking several user-agents, most of such requests can be avoided. The block list on our server is:
map $http_user_agent $isbadbrowser { default 0; "~*Mozilla/5.0 (Linux; Android)" 1; "~*Chrome/49.0.2623.87" 1; "~*Firefox/3.6.3" 1; }
Cheers,
Miao Wang
2020年07月02日 13:52,services via arch-mirrors arch-mirrors@archlinux.org 写道:
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ?
Regards, Eric.
On 7/2/2020 5:02 AM, mirror-admin wrote:
Hello, Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well. What we do is try to be nice, we throttling down our upload speed to their IP. Thx On 7/2/2020 09:49, Johannes Findeisen wrote:
Hello,
I am driving the mirror arch.unixpeople.org. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download directly started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes
Hi,
we got request from fraction of subnet 27.221.66.0/24
thx
On 7/2/2020 12:52, services via arch-mirrors wrote:
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ?
Regards, Eric.
On 7/2/2020 5:02 AM, mirror-admin wrote:
Hello,
Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well.
What we do is try to be nice, we throttling down our upload speed to their IP.
Thx
On 7/2/2020 09:49, Johannes Findeisen wrote:
Hello,
I am driving the mirror arch.unixpeople.org. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download directly started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes
We also received lots requests from 27.221.66.0/24.
aveline@mirror-iad01-a:~# sudo grep iso /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr 178 27.221.66.133 176 27.221.66.144 163 27.221.66.143 163 27.221.66.132 158 27.221.66.138 155 27.221.66.141 153 27.221.66.131 150 27.221.66.149 144 27.221.66.147 137 27.221.66.142 136 27.221.66.136 136 27.221.49.135 133 27.221.66.154 133 27.221.66.134 131 27.221.66.151 131 27.221.66.146 130 27.221.66.137 124 27.221.66.139 120 27.221.66.153 102 27.221.66.148 93 27.221.66.152
On Thu, Jul 2, 2020 at 2:14 PM mirror-admin mirror-admin@labkom.id wrote:
Hi,
we got request from fraction of subnet 27.221.66.0/24
thx
On 7/2/2020 12:52, services via arch-mirrors wrote:
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ?
Regards, Eric.
On 7/2/2020 5:02 AM, mirror-admin wrote:
Hello,
Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well.
What we do is try to be nice, we throttling down our upload speed to their IP.
Thx
On 7/2/2020 09:49, Johannes Findeisen wrote:
Hello,
I am driving the mirror arch.unixpeople.org. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download directly started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes
Ip is on same range for me
and found 4 new ip yesterday on another range (scan 22H CEST) : 119.176.61.18 119.176.61.22 119.176.61.16 119.176.61.12
On 7/2/2020 8:25 AM, Siyuan Miao wrote:
We also received lots requests from 27.221.66.0/24 http://27.221.66.0/24.
aveline@mirror-iad01-a:~# sudo grep iso /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr 178 27.221.66.133 176 27.221.66.144 163 27.221.66.143 163 27.221.66.132 158 27.221.66.138 155 27.221.66.141 153 27.221.66.131 150 27.221.66.149 144 27.221.66.147 137 27.221.66.142 136 27.221.66.136 136 27.221.49.135 133 27.221.66.154 133 27.221.66.134 131 27.221.66.151 131 27.221.66.146 130 27.221.66.137 124 27.221.66.139 120 27.221.66.153 102 27.221.66.148 93 27.221.66.152
On Thu, Jul 2, 2020 at 2:14 PM mirror-admin <mirror-admin@labkom.id mailto:mirror-admin@labkom.id> wrote:
Hi, we got request from fraction of subnet 27.221.66.0/24 <http://27.221.66.0/24> thx On 7/2/2020 12:52, services via arch-mirrors wrote: > Hello, > > Same case here. > > Impact is low here (via one ip only), because a file which don't exist > (old iso) : > arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No > such file or directory) > > Can you share ip on the list for compare and block all ip before ddos ? > > Regards, > Eric. > > On 7/2/2020 5:02 AM, mirror-admin wrote: >> Hello, >> >> Yes, we notice same download pattern from china IP. Not only for >> Archlinux, but for other archive as well. >> >> What we do is try to be nice, we throttling down our upload speed to >> their IP. >> >> Thx >> >> On 7/2/2020 09:49, Johannes Findeisen wrote: >>> Hello, >>> >>> I am driving the mirror arch.unixpeople.org <http://arch.unixpeople.org>. Since some months I >>> encounter a lot of traffic from China which seems to be like a DDoS. I >>> fixed this some month ago by blocking all IP address ranges from China. >>> This stopped the traffic. Yesterday I tried to remove all my firewall >>> rules and to see what happens... Just some hours ago the DDoS startet >>> again so I really had to block China from my mirror again because it >>> would become a fulltime job to monitor my host. >>> >>> While all this happened I tried to figure out what's going on and saw >>> endless downloads of the arch .iso file from many many IP addresses in >>> China. When the download from one IP had finished the download directly >>> started again from exactly the same IP in an endless loop. >>> >>> Does anyone other here encounter such things? >>> >>> Regards >>> >>> Johannes
On Thu, 2 Jul 2020 07:52:26 +0200 services via arch-mirrors wrote:
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ?
Actually I can not because I blocked all china IPs via iptables yesterday night. But what I see is, that when just blocking single IPs the traffic starts from other IPs. It would be a fulltime job to monitor this and to react. I can at the weekend disable the firewall rules and let it run for some hours. Then I can build a list of IPs from my logfiles. You will get it then.
The situation is horrible because blocking a whole country is not what I want to do. But I have peaks with 500 to 600 Mbits downstream traffic for hours. That would not be a problem at all but I don't want this because it kills traffic for regular users and at the end it will cost money at some point.
Too sad people are doing this kind of stupid things... :|
Regards Johannes
On Thu, 2 Jul 2020 07:52:26 +0200 services via arch-mirrors wrote:
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ?
Okay, this is from the past but is from an logfile older then about 3 month:
a lighttpd # grep iso arch.unixpeople.org.access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr | head -n 25 1572 194.147.110.21 1220 95.217.42.120 553 51.6.209.241 401 212.129.50.243 342 147.75.65.86 341 27.221.66.142 340 86.58.83.97 323 27.221.66.141 323 27.221.66.131 316 27.221.66.144 315 27.221.66.133 309 27.221.66.143 306 27.221.66.134 304 27.221.66.132 290 27.221.49.135 282 27.221.66.139 282 27.221.66.138 280 27.221.66.137 280 27.221.66.136 276 27.221.66.152 267 27.221.66.146 265 27.221.66.148 263 27.221.66.147 241 216.244.66.201 238 27.221.66.154
It this is just the top 25!
The list with more then 100 downloads is very long... :|
Regards Johannes
participants (5)
-
Johannes Findeisen
-
mirror-admin
-
services
-
Siyuan Miao
-
TUNA Mirror Team