[arch-mirrors] Huge traffic from China (services)

Johannes Findeisen mailman at hanez.org
Thu Jul 2 16:48:10 UTC 2020


Hi,

 me they are really getting an iso that is existing. And when the
download has finished the download starts from the same IP again. And
for me it is not only from one subnet but many different networks. When
I block these network manually after some time everythings starts again
from other networks.

Regards
Johannes

On Thu, 2 Jul 2020
15:16:35 +0300 Ave wrote:

> We're having this too.
> 
> ave at owobox:/home/ave $ sudo grep iso /var/log/nginx/access.log | awk '{
> print $1 }' | sort -n | uniq -c | sort -nr | grep 27.221.66
>      29 27.221.66.139
>      27 27.221.66.136
>      26 27.221.66.137
>      26 27.221.66.133
>      25 27.221.66.134
>      24 27.221.66.144
>      23 27.221.66.148
>      21 27.221.66.143
>      21 27.221.66.138
>      21 27.221.66.132
>      20 27.221.66.141
>      18 27.221.66.147
>      17 27.221.66.153
>      16 27.221.66.151
>      16 27.221.66.146
>      16 27.221.66.142
>      16 27.221.66.131
>      15 27.221.66.149
>      13 27.221.66.154
>      13 27.221.66.152
> 
> They all seem to be trying to fetch
> "/iso/2020.02.01/archlinux-2020.02.01-x86_64.iso" and
> "/iso/2020.03.01/archlinux-2020.03.01-x86_64.iso", which are 404 on our
> end. UA for all is "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
> rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3".
> 
> 
> I personally blocked the /24 (sudo ufw insert 1 deny from 27.221.66.0/24
> to any).
> 
> The behavior seems like it's not in good faith (the requests have 30s-4m
> between them), and while I don't think much will happen, but I'll be
> filing an IP abuse notice to china unicom about this
> (hqs-ipabuse at chinaunicom.cn).
> 
> On 7/2/20 3:00 PM, arch-mirrors-request at archlinux.org wrote:
> > Send arch-mirrors mailing list submissions to
> > arch-mirrors at archlinux.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.archlinux.org/listinfo/arch-mirrors
> > or, via email, send a message with subject or body 'help' to
> > arch-mirrors-request at archlinux.org
> >
> > You can reach the person managing the list at
> > arch-mirrors-owner at archlinux.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of arch-mirrors digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Re: Huge traffic from China (services)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Thu, 2 Jul 2020 09:06:05 +0200
> > From: services <services+mirrors at eric.ovh>
> > To: arch-mirrors at archlinux.org
> > Subject: Re: [arch-mirrors] Huge traffic from China
> > Message-ID: <7066fda6-b2f2-b1b9-90fd-ef257920ee72 at eric.ovh>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> > Ip is on same range for me
> >
> > and found 4 new ip yesterday on another range (scan 22H CEST) :
> > 119.176.61.18
> > 119.176.61.22
> > 119.176.61.16
> > 119.176.61.12
> >
> >
> > On 7/2/2020 8:25 AM, Siyuan Miao wrote:
> >> We also received lots requests from 27.221.66.0/24
> >> <http://27.221.66.0/24>.
> >>
> >> aveline at mirror-iad01-a:~# sudo grep iso
> >> /var/log/nginx/mirrors.access.log | awk '{ print $1 }' | sort -n |
> >> uniq -c | sort -nr
> >> ? ? 178 27.221.66.133
> >> ? ? 176 27.221.66.144
> >> ? ? 163 27.221.66.143
> >> ? ? 163 27.221.66.132
> >> ? ? 158 27.221.66.138
> >> ? ? 155 27.221.66.141
> >> ? ? 153 27.221.66.131
> >> ? ? 150 27.221.66.149
> >> ? ? 144 27.221.66.147
> >> ? ? 137 27.221.66.142
> >> ? ? 136 27.221.66.136
> >> ? ? 136 27.221.49.135
> >> ? ? 133 27.221.66.154
> >> ? ? 133 27.221.66.134
> >> ? ? 131 27.221.66.151
> >> ? ? 131 27.221.66.146
> >> ? ? 130 27.221.66.137
> >> ? ? 124 27.221.66.139
> >> ? ? 120 27.221.66.153
> >> ? ? 102 27.221.66.148
> >> ? ? ?93 27.221.66.152
> >>
> >> On Thu, Jul 2, 2020 at 2:14 PM mirror-admin <mirror-admin at labkom.id
> >> <mailto:mirror-admin at labkom.id>> wrote:
> >>
> >> Hi,
> >>
> >> we got request from fraction of subnet 27.221.66.0/24
> >> <http://27.221.66.0/24>
> >>
> >> thx
> >>
> >> On 7/2/2020 12:52, services via arch-mirrors wrote:
> >>
> >> > Hello,
> >> >
> >> > Same case here.
> >> >
> >> > Impact is low here (via one ip only), because a file which don't
> >> exist
> >> > (old iso) :
> >> > arch//iso/2020.03.01/archlinux-2020.03.01-x86_64.iso" failed (2: No
> >> > such file or directory)
> >> >
> >> > Can you share ip on the list for compare and block all ip before
> >> ddos ?
> >> >
> >> > Regards,
> >> > Eric.
> >> >
> >> > On 7/2/2020 5:02 AM, mirror-admin wrote:
> >> >> Hello,
> >> >>
> >> >> Yes, we notice same download pattern from china IP. Not only for
> >> >> Archlinux, but for other archive as well.
> >> >>
> >> >> What we do is try to be nice, we throttling down our upload
> >> speed to
> >> >> their IP.
> >> >>
> >> >> Thx
> >> >>
> >> >> On 7/2/2020 09:49, Johannes Findeisen wrote:
> >> >>> Hello,
> >> >>>
> >> >>> I am driving the mirror arch.unixpeople.org
> >> <http://arch.unixpeople.org>. Since some months I
> >> >>> encounter a lot of traffic from China which seems to be like a
> >> DDoS. I
> >> >>> fixed this some month ago by blocking all IP address ranges
> >> from China.
> >> >>> This stopped the traffic. Yesterday I tried to remove all my
> >> firewall
> >> >>> rules and to see what happens... Just some hours ago the DDoS
> >> startet
> >> >>> again so I really had to block China from my mirror again
> >> because it
> >> >>> would become a fulltime job to monitor my host.
> >> >>>
> >> >>> While all this happened I tried to figure out what's going on
> >> and saw
> >> >>> endless downloads of the arch .iso file from many many IP
> >> addresses in
> >> >>> China. When the download from one IP had finished the download
> >> directly
> >> >>> started again from exactly the same IP in an endless loop.
> >> >>>
> >> >>> Does anyone other here encounter such things?
> >> >>>
> >> >>> Regards
> >> >>>
> >> >>> Johannes
> >>
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > _______________________________________________
> > arch-mirrors mailing list
> > arch-mirrors at archlinux.org
> > https://lists.archlinux.org/listinfo/arch-mirrors
> >
> >
> > ------------------------------
> >
> > End of arch-mirrors Digest, Vol 98, Issue 2
> > *******************************************
> 
> -- 
> -Ave
> https://ave.zone


More information about the arch-mirrors mailing list