[arch-mirrors] Huge traffic from China

services services+mirrors at eric.ovh
Thu Jul 2 07:06:05 UTC 2020 

Ip is on same range for me

and found 4 new ip yesterday on another range (scan 22H CEST) :
119.176.61.18
119.176.61.22
119.176.61.16
119.176.61.12


On 7/2/2020 8:25 AM, Siyuan Miao wrote:
> We also received lots requests from 27.221.66.0/24 <http://27.221.66.0/24>.
> 
> aveline at mirror-iad01-a:~# sudo grep iso 
> /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n | uniq 
> -c | sort -nr
>      178 27.221.66.133
>      176 27.221.66.144
>      163 27.221.66.143
>      163 27.221.66.132
>      158 27.221.66.138
>      155 27.221.66.141
>      153 27.221.66.131
>      150 27.221.66.149
>      144 27.221.66.147
>      137 27.221.66.142
>      136 27.221.66.136
>      136 27.221.49.135
>      133 27.221.66.154
>      133 27.221.66.134
>      131 27.221.66.151
>      131 27.221.66.146
>      130 27.221.66.137
>      124 27.221.66.139
>      120 27.221.66.153
>      102 27.221.66.148
>       93 27.221.66.152
> 
> On Thu, Jul 2, 2020 at 2:14 PM mirror-admin <mirror-admin at labkom.id 
> <mailto:mirror-admin at labkom.id>> wrote:
> 
>     Hi,
> 
>     we got request from fraction of subnet 27.221.66.0/24
>     <http://27.221.66.0/24>
> 
>     thx
> 
>     On 7/2/2020 12:52, services via arch-mirrors wrote:
> 
>      > Hello,
>      >
>      > Same case here.
>      >
>      > Impact is low here (via one ip only), because a file which don't
>     exist
>      > (old iso) :
>      > arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No
>      > such file or directory)
>      >
>      > Can you share ip on the list for compare and block all ip before
>     ddos ?
>      >
>      > Regards,
>      > Eric.
>      >
>      > On 7/2/2020 5:02 AM, mirror-admin wrote:
>      >> Hello,
>      >>
>      >> Yes, we notice same download pattern from china IP. Not only for
>      >> Archlinux, but for other archive as well.
>      >>
>      >> What we do is try to be nice, we throttling down our upload
>     speed to
>      >> their IP.
>      >>
>      >> Thx
>      >>
>      >> On 7/2/2020 09:49, Johannes Findeisen wrote:
>      >>> Hello,
>      >>>
>      >>> I am driving the mirror arch.unixpeople.org
>     <http://arch.unixpeople.org>. Since some months I
>      >>> encounter a lot of traffic from China which seems to be like a
>     DDoS. I
>      >>> fixed this some month ago by blocking all IP address ranges
>     from China.
>      >>> This stopped the traffic. Yesterday I tried to remove all my
>     firewall
>      >>> rules and to see what happens... Just some hours ago the DDoS
>     startet
>      >>> again so I really had to block China from my mirror again
>     because it
>      >>> would become a fulltime job to monitor my host.
>      >>>
>      >>> While all this happened I tried to figure out what's going on
>     and saw
>      >>> endless downloads of the arch .iso file from many many IP
>     addresses in
>      >>> China. When the download from one IP had finished the download
>     directly
>      >>> started again from exactly the same IP in an endless loop.
>      >>>
>      >>> Does anyone other here encounter such things?
>      >>>
>      >>> Regards
>      >>>
>      >>> Johannes
>

More information about the arch-mirrors mailing list