[arch-mirrors] Huge traffic from China
services
services+mirrors at eric.ovh
Thu Jul 2 07:06:05 UTC 2020
Ip is on same range for me
and found 4 new ip yesterday on another range (scan 22H CEST) :
119.176.61.18
119.176.61.22
119.176.61.16
119.176.61.12
On 7/2/2020 8:25 AM, Siyuan Miao wrote:
> We also received lots requests from 27.221.66.0/24 <http://27.221.66.0/24>.
>
> aveline at mirror-iad01-a:~# sudo grep iso
> /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n | uniq
> -c | sort -nr
> 178 27.221.66.133
> 176 27.221.66.144
> 163 27.221.66.143
> 163 27.221.66.132
> 158 27.221.66.138
> 155 27.221.66.141
> 153 27.221.66.131
> 150 27.221.66.149
> 144 27.221.66.147
> 137 27.221.66.142
> 136 27.221.66.136
> 136 27.221.49.135
> 133 27.221.66.154
> 133 27.221.66.134
> 131 27.221.66.151
> 131 27.221.66.146
> 130 27.221.66.137
> 124 27.221.66.139
> 120 27.221.66.153
> 102 27.221.66.148
> 93 27.221.66.152
>
> On Thu, Jul 2, 2020 at 2:14 PM mirror-admin <mirror-admin at labkom.id
> <mailto:mirror-admin at labkom.id>> wrote:
>
> Hi,
>
> we got request from fraction of subnet 27.221.66.0/24
> <http://27.221.66.0/24>
>
> thx
>
> On 7/2/2020 12:52, services via arch-mirrors wrote:
>
> > Hello,
> >
> > Same case here.
> >
> > Impact is low here (via one ip only), because a file which don't
> exist
> > (old iso) :
> > arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No
> > such file or directory)
> >
> > Can you share ip on the list for compare and block all ip before
> ddos ?
> >
> > Regards,
> > Eric.
> >
> > On 7/2/2020 5:02 AM, mirror-admin wrote:
> >> Hello,
> >>
> >> Yes, we notice same download pattern from china IP. Not only for
> >> Archlinux, but for other archive as well.
> >>
> >> What we do is try to be nice, we throttling down our upload
> speed to
> >> their IP.
> >>
> >> Thx
> >>
> >> On 7/2/2020 09:49, Johannes Findeisen wrote:
> >>> Hello,
> >>>
> >>> I am driving the mirror arch.unixpeople.org
> <http://arch.unixpeople.org>. Since some months I
> >>> encounter a lot of traffic from China which seems to be like a
> DDoS. I
> >>> fixed this some month ago by blocking all IP address ranges
> from China.
> >>> This stopped the traffic. Yesterday I tried to remove all my
> firewall
> >>> rules and to see what happens... Just some hours ago the DDoS
> startet
> >>> again so I really had to block China from my mirror again
> because it
> >>> would become a fulltime job to monitor my host.
> >>>
> >>> While all this happened I tried to figure out what's going on
> and saw
> >>> endless downloads of the arch .iso file from many many IP
> addresses in
> >>> China. When the download from one IP had finished the download
> directly
> >>> started again from exactly the same IP in an endless loop.
> >>>
> >>> Does anyone other here encounter such things?
> >>>
> >>> Regards
> >>>
> >>> Johannes
>
More information about the arch-mirrors
mailing list