Hi, all
On our servers, the following UAs are blocked and similar repeated requests against large iso files can be rejected:
map $http_user_agent $isbadbrowser { default 0; "~*Mozilla/5.0 (Linux; Android)" 1; "~*Chrome/49.0.2623.87" 1; "~*Firefox/3.6.3" 1; }
According to our experience of operating largest mirror site in China, such User-Agent list is able to protect against most of those traffic, IP blocking is not needed and the list didn't require an update for several years.
Although the root cause not found, we suspect these behavior might be caused by some certain broken software and the problem might already be solved in a later version. It will be appreciated if anyone can report traffic with this pattern from AS4538, and we can try to figure out what is the root cause of such behavior.
Cheers,
Miao Wang
2020年10月06日 21:47,Didier Aeschimann didier@calgah.com 写道:
Hello,
We also had a similar issue in 2019
May 2019 6768.16 GB Jun 2019 4571.42 GB Jul 2019 5033308.72 GB Aug 2019 1665015.47 GB Sep 2019 480864.23 GB Oct 2019 7492.56 GB
All of the increase in traffic was China networks. In my case we waited it out and still have about 50% over normal from China. We were wondering what CentOS’ position on geoblocking is?
Good day,
Didier
Didier Aeschimann Calgah Computer Systems Ltd. / IT Security Division 1405 Henri-Bourassa E. Montreal, Quebec, Canada H2C 1H1 Tel:(514) 335 0405 Fax. (514) 335 6541 Email: nospam@redwarning.com, didier@calgah.com http://www.calgah.com
From: CentOS-mirror centos-mirror-bounces@centos.org On Behalf Of Cihan Nimsi via CentOS-mirror Sent: October-06-20 09:23 To: centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
Hello,
We also had the same problem and blocked China. Problem solved.
6.10.2020 01:23 tarihinde Christopher Hawker yazdı:
Hi Thomas,
You could simply use GeoIP Blocking to filter out any traffic from China. Here's a link to achieve this for Apache: https://www.cloudibee.com/geoip-based-country-blocking-for-apache/.
Regards, Christopher Hawker
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Thomas Enos thomas.enos@afghan-wireless.com Sent: Tuesday, 6 October 2020 4:34 AM To: Mailing list for CentOS mirrors. centos-mirror@centos.org; CEDIA FOSS Mirrors mirror@cedia.org.ec Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
We can confirm being hit by 27.221.66.0/24 pulling the same iso as well. What action was taken to address this by your networks?
Thanks,
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Bogdan-Stefan Rotariu bogdan.rotariu@chroot.ro Reply to: "Mailing list for CentOS mirrors." centos-mirror@centos.org Date: Monday, 5 October 2020 at 9:30 PM To: CEDIA FOSS Mirrors mirror@cedia.org.ec, "Mailing list for CentOS mirrors." centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
[EXTERNAL EMAIL] This is an external email, please make sure the sender is well known before clicking on any link or opening an attachment, if spam report it to CIRT@afghan-wireless.com
Hi there,
On Oct 5, 2020, at 20:24, CEDIA FOSS Mirrors via CentOS-mirror centos-mirror@centos.org wrote: hi
<snip>
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
We did encounter the same issues with the same IP addresses and same iso file. Till now I thought it was an isolated issue..
— Bogdan-Stefan Rotariu CTO,Founder Chroot Network SRL WEB: http://www.chroot.rohttp://track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=http%3a%2f%2fwww.chroot.ro%3futm_source%3d%26utm_medium%3demail%26utm_campaign%3dunspecified&t=&e=contact%40chroot.ro&h=8a6c74da Phone: +40-731-247-668tel:+40-731-247-668 Suport tehnic: suport@chroot.romailto:suport@chroot.ro Suport vanzari: vanzari@chroot.romailto:vanzari@chroot.ro Contact general: contact@chroot.romailto:contact@chroot.ro
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
-- İyi Çalışmalar / Best Regards, Cihan Nimsi C-Level Executive
İçerenköy Mh. Ertaç Sk. Ardil İş Merkezi No: 4/2 Kat: 1 Ataşehir/İSTANBUL Telefon +90 850 885 0 558 - 1001 www.guzel.net.tr
Bu e-mailin içeriği gizlidir ve sadece bu e-mailin alıcısına özeldir. Göndericinin izni olmadan bu mesajın 3. taraflarla paylaşılması yasaktır. Eğer bu e-mail size yanlışlıkla gönderildiyse, lütfen bu e-maili yanıtlayıp siliniz, böylece aynı hata tekrar olmayacaktır. The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror