[arch-mirrors] Huge traffic from China (services)

Manhong Dai daimh at umich.edu
Thu Jul 2 13:08:44 UTC 2020 

Here is my research on repo.miserver.it.umich.edu based. It seems that 
those IP addresses keep downloading ISO files, and used almost a quarter 
of our bandwidth since April.

I banned 27.221.49 and 27.221.66.*.  I am contacting them  and will post 
their reply here as soon as I get it.

# This behavior started in March
[root at repo lighttpd]# ll access.log*
-rw-r--r-- 1 http http   53197046 Jul  2 08:53 access.log
-rw-r--r-- 1 http http 1713174955 Jul  1 00:00 access.log.1
-rw-r--r-- 1 http http 1972937896 Jun  1 00:00 access.log.2
-rw-r--r-- 1 http http 1999391672 May  1 00:00 access.log.3
-rw-r--r-- 1 http http 1442159335 Apr  1 00:00 access.log.4
-rw-r--r-- 1 http http 1741198642 Mar  1 00:00 access.log.5
-rw-r--r-- 1 http http 1261033787 Feb  1 00:00 access.log.6
[root at repo lighttpd]# grep -c ^27.221 access.log*
access.log:1502
access.log.1:29565
access.log.2:28368
access.log.3:11168
access.log.4:33081
access.log.5:1031
access.log.6:0

#27.221.* used 9TB vs other IP addresses used 30TB combined.
[root at repo lighttpd]# cat access.log access.log.[1234] | grep -v ^27.221 
| awk '{s += $10}END{print int(s/1048576/1048576) "TB" }'
30TB
[root at repo lighttpd]# cat access.log access.log.[1234] | grep ^27.221 | 
awk '{s += $10}END{print int(s/1048576/1048576) "TB" }'
9TB

#their sub networks
[root at repo lighttpd]# cat access.log access.log.[1234] | grep ^27.221 | 
cut -d . -f 1-3 |sort | uniq -c
    3095 27.221.49
  100596 27.221.66

#all CentOS ISO files
[root at repo lighttpd]# cat access.log access.log.[1234] | grep ^27.221 | 
grep -v centos | wc -l
0
[root at repo lighttpd]# cat access.log access.log.[1234] | grep ^27.221 | 
grep -v iso | wc -l
0


Best,

Manhong


On 7/2/20 8:16 AM, Ave wrote:
> We're having this too.
>
> ave at owobox:/home/ave $ sudo grep iso /var/log/nginx/access.log | awk '{
> print $1 }' | sort -n | uniq -c | sort -nr | grep 27.221.66
>       29 27.221.66.139
>       27 27.221.66.136
>       26 27.221.66.137
>       26 27.221.66.133
>       25 27.221.66.134
>       24 27.221.66.144
>       23 27.221.66.148
>       21 27.221.66.143
>       21 27.221.66.138
>       21 27.221.66.132
>       20 27.221.66.141
>       18 27.221.66.147
>       17 27.221.66.153
>       16 27.221.66.151
>       16 27.221.66.146
>       16 27.221.66.142
>       16 27.221.66.131
>       15 27.221.66.149
>       13 27.221.66.154
>       13 27.221.66.152
>
> They all seem to be trying to fetch
> "/iso/2020.02.01/archlinux-2020.02.01-x86_64.iso" and
> "/iso/2020.03.01/archlinux-2020.03.01-x86_64.iso", which are 404 on our
> end. UA for all is "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
> rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3".
>
>
> I personally blocked the /24 (sudo ufw insert 1 deny from 27.221.66.0/24
> to any).
>
> The behavior seems like it's not in good faith (the requests have 30s-4m
> between them), and while I don't think much will happen, but I'll be
> filing an IP abuse notice to china unicom about this
> (hqs-ipabuse at chinaunicom.cn).
>
> On 7/2/20 3:00 PM, arch-mirrors-request at archlinux.org wrote:
>> Send arch-mirrors mailing list submissions to
>> arch-mirrors at archlinux.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.archlinux.org/listinfo/arch-mirrors
>> or, via email, send a message with subject or body 'help' to
>> arch-mirrors-request at archlinux.org
>>
>> You can reach the person managing the list at
>> arch-mirrors-owner at archlinux.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of arch-mirrors digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: Huge traffic from China (services)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Thu, 2 Jul 2020 09:06:05 +0200
>> From: services <services+mirrors at eric.ovh>
>> To: arch-mirrors at archlinux.org
>> Subject: Re: [arch-mirrors] Huge traffic from China
>> Message-ID: <7066fda6-b2f2-b1b9-90fd-ef257920ee72 at eric.ovh>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>>
>> Ip is on same range for me
>>
>> and found 4 new ip yesterday on another range (scan 22H CEST) :
>> 119.176.61.18
>> 119.176.61.22
>> 119.176.61.16
>> 119.176.61.12
>>
>>
>> On 7/2/2020 8:25 AM, Siyuan Miao wrote:
>>> We also received lots requests from 27.221.66.0/24
>>> <http://27.221.66.0/24>.
>>>
>>> aveline at mirror-iad01-a:~# sudo grep iso
>>> /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n |
>>> uniq -c | sort -nr
>>> ? ? 178 27.221.66.133
>>> ? ? 176 27.221.66.144
>>> ? ? 163 27.221.66.143
>>> ? ? 163 27.221.66.132
>>> ? ? 158 27.221.66.138
>>> ? ? 155 27.221.66.141
>>> ? ? 153 27.221.66.131
>>> ? ? 150 27.221.66.149
>>> ? ? 144 27.221.66.147
>>> ? ? 137 27.221.66.142
>>> ? ? 136 27.221.66.136
>>> ? ? 136 27.221.49.135
>>> ? ? 133 27.221.66.154
>>> ? ? 133 27.221.66.134
>>> ? ? 131 27.221.66.151
>>> ? ? 131 27.221.66.146
>>> ? ? 130 27.221.66.137
>>> ? ? 124 27.221.66.139
>>> ? ? 120 27.221.66.153
>>> ? ? 102 27.221.66.148
>>> ? ? ?93 27.221.66.152
>>>
>>> On Thu, Jul 2, 2020 at 2:14 PM mirror-admin <mirror-admin at labkom.id
>>> <mailto:mirror-admin at labkom.id>> wrote:
>>>
>>> Hi,
>>>
>>> we got request from fraction of subnet 27.221.66.0/24
>>> <http://27.221.66.0/24>
>>>
>>> thx
>>>
>>> On 7/2/2020 12:52, services via arch-mirrors wrote:
>>>
>>>> Hello,
>>>>
>>>> Same case here.
>>>>
>>>> Impact is low here (via one ip only), because a file which don't
>>> exist
>>>> (old iso) :
>>>> arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No
>>>> such file or directory)
>>>>
>>>> Can you share ip on the list for compare and block all ip before
>>> ddos ?
>>>> Regards,
>>>> Eric.
>>>>
>>>> On 7/2/2020 5:02 AM, mirror-admin wrote:
>>>>> Hello,
>>>>>
>>>>> Yes, we notice same download pattern from china IP. Not only for
>>>>> Archlinux, but for other archive as well.
>>>>>
>>>>> What we do is try to be nice, we throttling down our upload
>>> speed to
>>>>> their IP.
>>>>>
>>>>> Thx
>>>>>
>>>>> On 7/2/2020 09:49, Johannes Findeisen wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I am driving the mirror arch.unixpeople.org
>>> <http://arch.unixpeople.org>. Since some months I
>>>>>> encounter a lot of traffic from China which seems to be like a
>>> DDoS. I
>>>>>> fixed this some month ago by blocking all IP address ranges
>>> from China.
>>>>>> This stopped the traffic. Yesterday I tried to remove all my
>>> firewall
>>>>>> rules and to see what happens... Just some hours ago the DDoS
>>> startet
>>>>>> again so I really had to block China from my mirror again
>>> because it
>>>>>> would become a fulltime job to monitor my host.
>>>>>>
>>>>>> While all this happened I tried to figure out what's going on
>>> and saw
>>>>>> endless downloads of the arch .iso file from many many IP
>>> addresses in
>>>>>> China. When the download from one IP had finished the download
>>> directly
>>>>>> started again from exactly the same IP in an endless loop.
>>>>>>
>>>>>> Does anyone other here encounter such things?
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Johannes
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> arch-mirrors mailing list
>> arch-mirrors at archlinux.org
>> https://lists.archlinux.org/listinfo/arch-mirrors
>>
>>
>> ------------------------------
>>
>> End of arch-mirrors Digest, Vol 98, Issue 2
>> *******************************************

More information about the arch-mirrors mailing list