[arch-mirrors] DoS- mirror.chaoticum.net
Hi everyone, Today, my logfile (apache2) was full with thousands of thousands of requests like this: 85.14.109.184 - - [21/Oct/2019:14:57:33 +0200] "\xad|\xf8*!\xc7\xf4%\xb4\x0e\x8aj\xc2\xa80\xc2k\xbbh\xdd\xfa\x06\xc3b\x0e\xd8L\x87\xd4\xbd\xd0\x02\x86\xfc\xc6\xe6\xd2\xc1\xad8\v0\r\xfb\xb83\x9d\xca^\xa8h\x97\x99\xad\x9a\xfd\xed\xe1\xd4\xbf^'\xfeg\xbe#\xf0\x9d\x80qM\xb2\xe3A\x8a$Z\x94\xc1*\xae\x11\xf4\x82\xe9\xd14wV\xef\x0ez\xe0\x83\xfe\x07\xab\x86d\xdfN\xb0N6\v\xa8\x1e{\xb0\xc1\xe9\xa3(\xd7E\xc7\xa2\x17\xce\xe5X\xdd@\xc3\x12\xc5\xa8f\x84\xa7\x0e\xe9\xe3:\"\xb89\xb3\xa4u0\x91\xe4\xac\xe2\xb4P\v\x8c\n" 400 0 "-" "-" For this reason, my mirror was not reachable much time. Sorry. For me looks like a dos attack, but i am not sure. Anyone see this anytime in his logfiles or have any further idea/information? Now, i solved the problem by blocking 851 different ip's and i think now running stable. Greetings Andi Pfister
Hello, I have already founded this log on my reverse proxy with loggin administrator. On my case, it's linked to test to connect to a Windows Server TSE. I compare log time and connection time on my FW and user test add more information. Many IP are banned with this log. On my case, isn't a dos, just a brute force. Eric. On Mon, 21 Oct 2019 at 16:12, Andreas Pfister <andi-pfister@gmx.ch> wrote:
Hi everyone, Today, my logfile (apache2) was full with thousands of thousands of requests like this:
85.14.109.184 - - [21/Oct/2019:14:57:33 +0200]
"\xad|\xf8*!\xc7\xf4%\xb4\x0e\x8aj\xc2\xa80\xc2k\xbbh\xdd\xfa\x06\xc3b\x0e\xd8L\x87\xd4\xbd\xd0\x02\x86\xfc\xc6\xe6\xd2\xc1\xad8\v0\r\xfb\xb83\x9d\xca^\xa8h\x97\x99\xad\x9a\xfd\xed\xe1\xd4\xbf^'\xfeg\xbe#\xf0\x9d\x80qM\xb2\xe3A\x8a$Z\x94\xc1*\xae\x11\xf4\x82\xe9\xd14wV\xef\x0ez\xe0\x83\xfe\x07\xab\x86d\xdfN\xb0N6\v\xa8\x1e{\xb0\xc1\xe9\xa3(\xd7E\xc7\xa2\x17\xce\xe5X\xdd@ \xc3\x12\xc5\xa8f\x84\xa7\x0e\xe9\xe3:\"\xb89\xb3\xa4u0\x91\xe4\xac\xe2\xb4P\v\x8c\n" 400 0 "-" "-"
For this reason, my mirror was not reachable much time. Sorry.
For me looks like a dos attack, but i am not sure. Anyone see this anytime in his logfiles or have any further idea/information?
Now, i solved the problem by blocking 851 different ip's and i think now running stable.
Greetings
Andi Pfister
Hello, I'm guessing that these logs are generated from bittorent clients that are connecting to Your mirror via the .torrent download. There is the .torrent file https://www.archlinux.org/download/ which as I see uses all mirrors to download the latest iso image. --- Artis Šteinbergs Eric Thirifays @ 22.10.2019 10:21 rakstīja:
Hello,
I have already founded this log on my reverse proxy with loggin administrator. On my case, it's linked to test to connect to a Windows Server TSE. I compare log time and connection time on my FW and user test add more information.
Many IP are banned with this log.
On my case, isn't a dos, just a brute force. Eric.
On Mon, 21 Oct 2019 at 16:12, Andreas Pfister <andi-pfister@gmx.ch> wrote:
Hi everyone, Today, my logfile (apache2) was full with thousands of thousands of requests like this:
85.14.109.184 - - [21/Oct/2019:14:57:33 +0200]
"\xad|\xf8*!\xc7\xf4%\xb4\x0e\x8aj\xc2\xa80\xc2k\xbbh\xdd\xfa\x06\xc3b\x0e\xd8L\x87\xd4\xbd\xd0\x02\x86\xfc\xc6\xe6\xd2\xc1\xad8\v0\r\xfb\xb83\x9d\xca^\xa8h\x97\x99\xad\x9a\xfd\xed\xe1\xd4\xbf^'\xfeg\xbe#\xf0\x9d\x80qM\xb2\xe3A\x8a$Z\x94\xc1*\xae\x11\xf4\x82\xe9\xd14wV\xef\x0ez\xe0\x83\xfe\x07\xab\x86d\xdfN\xb0N6\v\xa8\x1e{\xb0\xc1\xe9\xa3(\xd7E\xc7\xa2\x17\xce\xe5X\xdd@\xc3\x12\xc5\xa8f\x84\xa7\x0e\xe9\xe3:\"\xb89\xb3\xa4u0\x91\xe4\xac\xe2\xb4P\v\x8c\n"
400 0 "-" "-"
For this reason, my mirror was not reachable much time. Sorry.
For me looks like a dos attack, but i am not sure. Anyone see this anytime in his logfiles or have any further idea/information?
Now, i solved the problem by blocking 851 different ip's and i think now running stable.
Greetings
Andi Pfister
participants (3)
-
Andreas Pfister
-
Artis Steinbergs
-
Eric Thirifays