[arch-general] HTTP spam from China

[David C. Rankin]

On 02/26/2019 06:40 AM, Juha Kankare via arch-general wrote:
> I'm getting a lot of connections from China it seems. Whenever I check 
> my journalctl, it's an andless wall of nginx complaints about a single 
> ip spamming requests fro different php files. This happens with hundreds 
> of ip's, and tens of times daily. Has anyone else been hit by this. I 
> already made a shellscript to block all connections from China, but I'm 
> curious as to why this happens, and if anyone else has had the same 
> problem.
> 

I take the sledge-hammer approach and simply block the entire APNIC and
AFRINIC IP blocks and a good portion of RIPE with ip-tables. Dramatically
reduces the amount of mischief coming from the internet. Then whitelist
specific IPs if needed for some individual package. Not optimal, but very,
very effective. Top 2 offenders are RIPE, China ranks number 3 and India
provides an impressive number 4 from 45.112.0.0/12 alone.

      My Top-20 Offenders are:

         Chain  INPUT
          pkts  bytes     Source

     1   99639  5901K     185.0.0.0/8
     2   27859  1671K     141.0.0.0/8
     3   14529  792K      220.0.0.0/8
     4   14188  1061K     45.112.0.0/12
     5   12852  766K      213.0.0.0/8
     6   11428  680K      89.0.0.0/8
     7   9340   636K      193.0.0.0/8
     8   9215   542K      46.0.0.0/8
     9   8685   479K      91.0.0.0/8
    10   8134   484K      180.0.0.0/8
    11   7929   470K      93.0.0.0/8
    12   7363   428K      5.0.0.0/8
    13   7059   419K      109.0.0.0/8
    14   5686   328K      202.0.0.0/8
    15   5030   298K      85.0.0.0/8
    16   4194   240K      195.0.0.0/8
    17   4190   245K      178.0.0.0/8
    18   4125   238K      188.0.0.0/8
    19   4111   243K      77.0.0.0/8
    20   3818   225K      80.0.0.0/8


-- 
David C. Rankin, J.D.,P.E.