Re: [arch-mirrors] Huge traffic from China (services)
We're having this too. ave@owobox:/home/ave $ sudo grep iso /var/log/nginx/access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr | grep 27.221.66 29 27.221.66.139 27 27.221.66.136 26 27.221.66.137 26 27.221.66.133 25 27.221.66.134 24 27.221.66.144 23 27.221.66.148 21 27.221.66.143 21 27.221.66.138 21 27.221.66.132 20 27.221.66.141 18 27.221.66.147 17 27.221.66.153 16 27.221.66.151 16 27.221.66.146 16 27.221.66.142 16 27.221.66.131 15 27.221.66.149 13 27.221.66.154 13 27.221.66.152 They all seem to be trying to fetch "/iso/2020.02.01/archlinux-2020.02.01-x86_64.iso" and "/iso/2020.03.01/archlinux-2020.03.01-x86_64.iso", which are 404 on our end. UA for all is "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3". I personally blocked the /24 (sudo ufw insert 1 deny from 27.221.66.0/24 to any). The behavior seems like it's not in good faith (the requests have 30s-4m between them), and while I don't think much will happen, but I'll be filing an IP abuse notice to china unicom about this (hqs-ipabuse@chinaunicom.cn). On 7/2/20 3:00 PM, arch-mirrors-request@archlinux.org wrote:
Send arch-mirrors mailing list submissions to arch-mirrors@archlinux.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.archlinux.org/listinfo/arch-mirrors or, via email, send a message with subject or body 'help' to arch-mirrors-request@archlinux.org
You can reach the person managing the list at arch-mirrors-owner@archlinux.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of arch-mirrors digest..."
Today's Topics:
1. Re: Huge traffic from China (services)
----------------------------------------------------------------------
Message: 1 Date: Thu, 2 Jul 2020 09:06:05 +0200 From: services <services+mirrors@eric.ovh> To: arch-mirrors@archlinux.org Subject: Re: [arch-mirrors] Huge traffic from China Message-ID: <7066fda6-b2f2-b1b9-90fd-ef257920ee72@eric.ovh> Content-Type: text/plain; charset=utf-8; format=flowed
Ip is on same range for me
and found 4 new ip yesterday on another range (scan 22H CEST) : 119.176.61.18 119.176.61.22 119.176.61.16 119.176.61.12
On 7/2/2020 8:25 AM, Siyuan Miao wrote:
We also received lots requests from 27.221.66.0/24 <http://27.221.66.0/24>.
aveline@mirror-iad01-a:~# sudo grep iso /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr ? ? 178 27.221.66.133 ? ? 176 27.221.66.144 ? ? 163 27.221.66.143 ? ? 163 27.221.66.132 ? ? 158 27.221.66.138 ? ? 155 27.221.66.141 ? ? 153 27.221.66.131 ? ? 150 27.221.66.149 ? ? 144 27.221.66.147 ? ? 137 27.221.66.142 ? ? 136 27.221.66.136 ? ? 136 27.221.49.135 ? ? 133 27.221.66.154 ? ? 133 27.221.66.134 ? ? 131 27.221.66.151 ? ? 131 27.221.66.146 ? ? 130 27.221.66.137 ? ? 124 27.221.66.139 ? ? 120 27.221.66.153 ? ? 102 27.221.66.148 ? ? ?93 27.221.66.152
On Thu, Jul 2, 2020 at 2:14 PM mirror-admin <mirror-admin@labkom.id <mailto:mirror-admin@labkom.id>> wrote:
Hi,
we got request from fraction of subnet 27.221.66.0/24 <http://27.221.66.0/24>
thx
On 7/2/2020 12:52, services via arch-mirrors wrote:
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ?
Regards, Eric.
Hello,
Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well.
What we do is try to be nice, we throttling down our upload speed to their IP.
Thx
On 7/2/2020 09:49, Johannes Findeisen wrote:
Hello,
I am driving the mirror arch.unixpeople.org <http://arch.unixpeople.org>. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download
On 7/2/2020 5:02 AM, mirror-admin wrote: directly
started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes
------------------------------
Subject: Digest Footer
_______________________________________________ arch-mirrors mailing list arch-mirrors@archlinux.org https://lists.archlinux.org/listinfo/arch-mirrors
------------------------------
End of arch-mirrors Digest, Vol 98, Issue 2 *******************************************
-- -Ave https://ave.zone
Here is my research on repo.miserver.it.umich.edu based. It seems that those IP addresses keep downloading ISO files, and used almost a quarter of our bandwidth since April. I banned 27.221.49 and 27.221.66.*. I am contacting them and will post their reply here as soon as I get it. # This behavior started in March [root@repo lighttpd]# ll access.log* -rw-r--r-- 1 http http 53197046 Jul 2 08:53 access.log -rw-r--r-- 1 http http 1713174955 Jul 1 00:00 access.log.1 -rw-r--r-- 1 http http 1972937896 Jun 1 00:00 access.log.2 -rw-r--r-- 1 http http 1999391672 May 1 00:00 access.log.3 -rw-r--r-- 1 http http 1442159335 Apr 1 00:00 access.log.4 -rw-r--r-- 1 http http 1741198642 Mar 1 00:00 access.log.5 -rw-r--r-- 1 http http 1261033787 Feb 1 00:00 access.log.6 [root@repo lighttpd]# grep -c ^27.221 access.log* access.log:1502 access.log.1:29565 access.log.2:28368 access.log.3:11168 access.log.4:33081 access.log.5:1031 access.log.6:0 #27.221.* used 9TB vs other IP addresses used 30TB combined. [root@repo lighttpd]# cat access.log access.log.[1234] | grep -v ^27.221 | awk '{s += $10}END{print int(s/1048576/1048576) "TB" }' 30TB [root@repo lighttpd]# cat access.log access.log.[1234] | grep ^27.221 | awk '{s += $10}END{print int(s/1048576/1048576) "TB" }' 9TB #their sub networks [root@repo lighttpd]# cat access.log access.log.[1234] | grep ^27.221 | cut -d . -f 1-3 |sort | uniq -c 3095 27.221.49 100596 27.221.66 #all CentOS ISO files [root@repo lighttpd]# cat access.log access.log.[1234] | grep ^27.221 | grep -v centos | wc -l 0 [root@repo lighttpd]# cat access.log access.log.[1234] | grep ^27.221 | grep -v iso | wc -l 0 Best, Manhong On 7/2/20 8:16 AM, Ave wrote:
We're having this too.
ave@owobox:/home/ave $ sudo grep iso /var/log/nginx/access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr | grep 27.221.66 29 27.221.66.139 27 27.221.66.136 26 27.221.66.137 26 27.221.66.133 25 27.221.66.134 24 27.221.66.144 23 27.221.66.148 21 27.221.66.143 21 27.221.66.138 21 27.221.66.132 20 27.221.66.141 18 27.221.66.147 17 27.221.66.153 16 27.221.66.151 16 27.221.66.146 16 27.221.66.142 16 27.221.66.131 15 27.221.66.149 13 27.221.66.154 13 27.221.66.152
They all seem to be trying to fetch "/iso/2020.02.01/archlinux-2020.02.01-x86_64.iso" and "/iso/2020.03.01/archlinux-2020.03.01-x86_64.iso", which are 404 on our end. UA for all is "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3".
I personally blocked the /24 (sudo ufw insert 1 deny from 27.221.66.0/24 to any).
The behavior seems like it's not in good faith (the requests have 30s-4m between them), and while I don't think much will happen, but I'll be filing an IP abuse notice to china unicom about this (hqs-ipabuse@chinaunicom.cn).
On 7/2/20 3:00 PM, arch-mirrors-request@archlinux.org wrote:
Send arch-mirrors mailing list submissions to arch-mirrors@archlinux.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.archlinux.org/listinfo/arch-mirrors or, via email, send a message with subject or body 'help' to arch-mirrors-request@archlinux.org
You can reach the person managing the list at arch-mirrors-owner@archlinux.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of arch-mirrors digest..."
Today's Topics:
1. Re: Huge traffic from China (services)
----------------------------------------------------------------------
Message: 1 Date: Thu, 2 Jul 2020 09:06:05 +0200 From: services <services+mirrors@eric.ovh> To: arch-mirrors@archlinux.org Subject: Re: [arch-mirrors] Huge traffic from China Message-ID: <7066fda6-b2f2-b1b9-90fd-ef257920ee72@eric.ovh> Content-Type: text/plain; charset=utf-8; format=flowed
Ip is on same range for me
and found 4 new ip yesterday on another range (scan 22H CEST) : 119.176.61.18 119.176.61.22 119.176.61.16 119.176.61.12
On 7/2/2020 8:25 AM, Siyuan Miao wrote:
We also received lots requests from 27.221.66.0/24 <http://27.221.66.0/24>.
aveline@mirror-iad01-a:~# sudo grep iso /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr ? ? 178 27.221.66.133 ? ? 176 27.221.66.144 ? ? 163 27.221.66.143 ? ? 163 27.221.66.132 ? ? 158 27.221.66.138 ? ? 155 27.221.66.141 ? ? 153 27.221.66.131 ? ? 150 27.221.66.149 ? ? 144 27.221.66.147 ? ? 137 27.221.66.142 ? ? 136 27.221.66.136 ? ? 136 27.221.49.135 ? ? 133 27.221.66.154 ? ? 133 27.221.66.134 ? ? 131 27.221.66.151 ? ? 131 27.221.66.146 ? ? 130 27.221.66.137 ? ? 124 27.221.66.139 ? ? 120 27.221.66.153 ? ? 102 27.221.66.148 ? ? ?93 27.221.66.152
On Thu, Jul 2, 2020 at 2:14 PM mirror-admin <mirror-admin@labkom.id <mailto:mirror-admin@labkom.id>> wrote:
Hi,
we got request from fraction of subnet 27.221.66.0/24 <http://27.221.66.0/24>
thx
On 7/2/2020 12:52, services via arch-mirrors wrote:
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ? Regards, Eric.
Hello,
Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well.
What we do is try to be nice, we throttling down our upload speed to their IP.
Thx
On 7/2/2020 09:49, Johannes Findeisen wrote:
Hello,
I am driving the mirror arch.unixpeople.org <http://arch.unixpeople.org>. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download
On 7/2/2020 5:02 AM, mirror-admin wrote: directly
started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes
Subject: Digest Footer
_______________________________________________ arch-mirrors mailing list arch-mirrors@archlinux.org https://lists.archlinux.org/listinfo/arch-mirrors
------------------------------
End of arch-mirrors Digest, Vol 98, Issue 2 *******************************************
Hi, me they are really getting an iso that is existing. And when the download has finished the download starts from the same IP again. And for me it is not only from one subnet but many different networks. When I block these network manually after some time everythings starts again from other networks. Regards Johannes On Thu, 2 Jul 2020 15:16:35 +0300 Ave wrote:
We're having this too.
ave@owobox:/home/ave $ sudo grep iso /var/log/nginx/access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr | grep 27.221.66 29 27.221.66.139 27 27.221.66.136 26 27.221.66.137 26 27.221.66.133 25 27.221.66.134 24 27.221.66.144 23 27.221.66.148 21 27.221.66.143 21 27.221.66.138 21 27.221.66.132 20 27.221.66.141 18 27.221.66.147 17 27.221.66.153 16 27.221.66.151 16 27.221.66.146 16 27.221.66.142 16 27.221.66.131 15 27.221.66.149 13 27.221.66.154 13 27.221.66.152
They all seem to be trying to fetch "/iso/2020.02.01/archlinux-2020.02.01-x86_64.iso" and "/iso/2020.03.01/archlinux-2020.03.01-x86_64.iso", which are 404 on our end. UA for all is "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3".
I personally blocked the /24 (sudo ufw insert 1 deny from 27.221.66.0/24 to any).
The behavior seems like it's not in good faith (the requests have 30s-4m between them), and while I don't think much will happen, but I'll be filing an IP abuse notice to china unicom about this (hqs-ipabuse@chinaunicom.cn).
On 7/2/20 3:00 PM, arch-mirrors-request@archlinux.org wrote:
Send arch-mirrors mailing list submissions to arch-mirrors@archlinux.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.archlinux.org/listinfo/arch-mirrors or, via email, send a message with subject or body 'help' to arch-mirrors-request@archlinux.org
You can reach the person managing the list at arch-mirrors-owner@archlinux.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of arch-mirrors digest..."
Today's Topics:
1. Re: Huge traffic from China (services)
----------------------------------------------------------------------
Message: 1 Date: Thu, 2 Jul 2020 09:06:05 +0200 From: services <services+mirrors@eric.ovh> To: arch-mirrors@archlinux.org Subject: Re: [arch-mirrors] Huge traffic from China Message-ID: <7066fda6-b2f2-b1b9-90fd-ef257920ee72@eric.ovh> Content-Type: text/plain; charset=utf-8; format=flowed
Ip is on same range for me
and found 4 new ip yesterday on another range (scan 22H CEST) : 119.176.61.18 119.176.61.22 119.176.61.16 119.176.61.12
On 7/2/2020 8:25 AM, Siyuan Miao wrote:
We also received lots requests from 27.221.66.0/24 <http://27.221.66.0/24>.
aveline@mirror-iad01-a:~# sudo grep iso /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n | uniq -c | sort -nr ? ? 178 27.221.66.133 ? ? 176 27.221.66.144 ? ? 163 27.221.66.143 ? ? 163 27.221.66.132 ? ? 158 27.221.66.138 ? ? 155 27.221.66.141 ? ? 153 27.221.66.131 ? ? 150 27.221.66.149 ? ? 144 27.221.66.147 ? ? 137 27.221.66.142 ? ? 136 27.221.66.136 ? ? 136 27.221.49.135 ? ? 133 27.221.66.154 ? ? 133 27.221.66.134 ? ? 131 27.221.66.151 ? ? 131 27.221.66.146 ? ? 130 27.221.66.137 ? ? 124 27.221.66.139 ? ? 120 27.221.66.153 ? ? 102 27.221.66.148 ? ? ?93 27.221.66.152
On Thu, Jul 2, 2020 at 2:14 PM mirror-admin <mirror-admin@labkom.id <mailto:mirror-admin@labkom.id>> wrote:
Hi,
we got request from fraction of subnet 27.221.66.0/24 <http://27.221.66.0/24>
thx
On 7/2/2020 12:52, services via arch-mirrors wrote:
Hello,
Same case here.
Impact is low here (via one ip only), because a file which don't exist (old iso) : arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No such file or directory)
Can you share ip on the list for compare and block all ip before ddos ?
Regards, Eric.
Hello,
Yes, we notice same download pattern from china IP. Not only for Archlinux, but for other archive as well.
What we do is try to be nice, we throttling down our upload speed to their IP.
Thx
On 7/2/2020 09:49, Johannes Findeisen wrote:
Hello,
I am driving the mirror arch.unixpeople.org <http://arch.unixpeople.org>. Since some months I encounter a lot of traffic from China which seems to be like a DDoS. I fixed this some month ago by blocking all IP address ranges from China. This stopped the traffic. Yesterday I tried to remove all my firewall rules and to see what happens... Just some hours ago the DDoS startet again so I really had to block China from my mirror again because it would become a fulltime job to monitor my host.
While all this happened I tried to figure out what's going on and saw endless downloads of the arch .iso file from many many IP addresses in China. When the download from one IP had finished the download
On 7/2/2020 5:02 AM, mirror-admin wrote: directly
started again from exactly the same IP in an endless loop.
Does anyone other here encounter such things?
Regards
Johannes
------------------------------
Subject: Digest Footer
_______________________________________________ arch-mirrors mailing list arch-mirrors@archlinux.org https://lists.archlinux.org/listinfo/arch-mirrors
------------------------------
End of arch-mirrors Digest, Vol 98, Issue 2 *******************************************
-- -Ave https://ave.zone
participants (3)
-
Ave
-
Johannes Findeisen
-
Manhong Dai