Hello, Same case here. Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory) Can you share ip on the list for compare and block all ip before ddos ? Regards, Eric. On 7/2/2020 5:02 AM, mirror-admin wrote:

Hello,

Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well.

What we do is try to be nice, we throttling down our upload speed to their IP.

Thx

On 7/2/2020 09:49, Johannes Findeisen wrote:

...

Hello,

I am driving the mirror arch.unixpeople.org. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.

While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download directly started again from exactly the same IP in an endless loop.

Does anyone other here encounter such things?

Regards

Johannes

Hi, we got request from fraction of subnet 27.221.66.0/24 thx On 7/2/2020 12:52, services via arch-mirrors wrote:

Hello,

Same case here.

Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)

Can you share ip on the list for compare and block all ip before ddos ?

Regards, Eric.

On 7/2/2020 5:02 AM, mirror-admin wrote:

...

Hello,

Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well.

What we do is try to be nice, we throttling down our upload speed to their IP.

Thx

On 7/2/2020 09:49, Johannes Findeisen wrote:

...

Hello,

I am driving the mirror arch.unixpeople.org. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.

While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download directly started again from exactly the same IP in an endless loop.

Does anyone other here encounter such things?

Regards

Johannes

Ip is on same range for me and found 4 new ip yesterday on another range (scan 22H CEST) : 119.176.61.18 119.176.61.22 119.176.61.16 119.176.61.12 On 7/2/2020 8:25 AM, Siyuan Miao wrote:

We also received lots requests from 27.221.66.0/24 http://27.221.66.0/24.

aveline@mirror-iad01-a:~# sudo grep iso /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr     178 27.221.66.133     176 27.221.66.144     163 27.221.66.143     163 27.221.66.132     158 27.221.66.138     155 27.221.66.141     153 27.221.66.131     150 27.221.66.149     144 27.221.66.147     137 27.221.66.142     136 27.221.66.136     136 27.221.49.135     133 27.221.66.154     133 27.221.66.134     131 27.221.66.151     131 27.221.66.146     130 27.221.66.137     124 27.221.66.139     120 27.221.66.153     102 27.221.66.148      93 27.221.66.152

On Thu, Jul 2, 2020 at 2:14 PM mirror-admin mailto:mirror-admin@labkom.id> wrote:

Hi,

we got request from fraction of subnet 27.221.66.0/24 http://27.221.66.0/24

thx

On 7/2/2020 12:52, services via arch-mirrors wrote:

> Hello, > > Same case here. > > Impact is low here (via one ip only), because a file which don't exist > (old iso) : > arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No > such file or directory) > > Can you share ip on the list for compare and block all ip before ddos ? > > Regards, > Eric. > > On 7/2/2020 5:02 AM, mirror-admin wrote: >> Hello, >> >> Yes, we notice same download pattern from china IP. Not only for >> Archlinux, but for other archive as well. >> >> What we do is try to be nice, we throttling down our upload speed to >> their IP. >> >> Thx >> >> On 7/2/2020 09:49, Johannes Findeisen wrote: >>> Hello, >>> >>> I am driving the mirror arch.unixpeople.org http://arch.unixpeople.org. Since some months I >>> encounter a lot of traffic from China which seems to be like a DDoS. I >>> fixed this some month ago by blocking all IP address ranges from China. >>> This stopped the traffic. Yesterday I tried to remove all my firewall >>> rules and to see what happens... Just some hours ago the DDoS startet >>> again so I really had to block China from my mirror again because it >>> would become a fulltime job to monitor my host. >>> >>> While all this happened I tried to figure out what's going on and saw >>> endless downloads of the arch .iso file from many many IP addresses in >>> China. When the download from one IP had finished the download directly >>> started again from exactly the same IP in an endless loop. >>> >>> Does anyone other here encounter such things? >>> >>> Regards >>> >>> Johannes

On Thu, 2 Jul 2020 07:52:26 +0200 services via arch-mirrors wrote:

Hello,

Same case here.

Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)

Can you share ip on the list for compare and block all ip before ddos ?

Okay, this is from the past but is from an logfile older then about 3 month: a lighttpd # grep iso arch.unixpeople.org.access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr | head -n 25 1572 194.147.110.21 1220 95.217.42.120 553 51.6.209.241 401 212.129.50.243 342 147.75.65.86 341 27.221.66.142 340 86.58.83.97 323 27.221.66.141 323 27.221.66.131 316 27.221.66.144 315 27.221.66.133 309 27.221.66.143 306 27.221.66.134 304 27.221.66.132 290 27.221.49.135 282 27.221.66.139 282 27.221.66.138 280 27.221.66.137 280 27.221.66.136 276 27.221.66.152 267 27.221.66.146 265 27.221.66.148 263 27.221.66.147 241 216.244.66.201 238 27.221.66.154 It this is just the top 25! The list with more then 100 downloads is very long... :| Regards Johannes