Recently I've been seeing hundreds of requests over a short space of time for the CentOS 2 isos, always from a single IP address, always Chinese IP addresses.
Anybody else seeing these, or know what they are trying to do? It almost looks like some sort of DoS attack.
Thanks,
Mike
On Fri, 29 Aug 2008, Mike Zanker wrote:
Recently I've been seeing hundreds of requests over a short space of time for the CentOS 2 isos, always from a single IP address, always Chinese IP addresses.
Anybody else seeing these, or know what they are trying to do? It almost looks like some sort of DoS attack.
we (ftp.iitm.ac.in) also run a fedora mirror and this was a chronic problem with that. we have not noticed this problem with the centos mirror. actually, they are 'legitimate' requests in the sense that they appear to be requests for partial downloads; however, with the rate at which the requests come in, it effectively becomes a dos attack. we have implemented per ip connection limit to stop this and it is very effective. there are several ways to do this; one possible way is to use the limitipconn module of apache and put the following lines in the httpd.conf file.
<IfModule mod_limitipconn.c> <Location /> MaxConnPerIP 3 </Location> </IfModule>
On 29/8/08 16:07, Prof. P. Sriram wrote:
we (ftp.iitm.ac.in) also run a fedora mirror and this was a chronic problem with that. we have not noticed this problem with the centos mirror. actually, they are 'legitimate' requests in the sense that they appear to be requests for partial downloads; however, with the rate at which the requests come in, it effectively becomes a dos attack. we have implemented per ip connection limit to stop this and it is very effective. there are several ways to do this; one possible way is to use the limitipconn module of apache and put the following lines in the httpd.conf file.
Thanks for the info. Yes, I'd noticed that they were requests for partial downloads, though interesting that they are all of Chinese origin. Maybe something to do with their network infrastructure.
Regards,
Mike
2008/8/31, Mike Zanker mike@zanker.org:
Thanks for the info. Yes, I'd noticed that they were requests for partial downloads, though interesting that they are all of Chinese origin. Maybe something to do with their network infrastructure.
There is a company called xunlei in chinese, it's english name is Thunder. They produce a program called xunlei or Thunder. A lot of people are using this program to do downloading.
This program can download file from multi-servers or multi p-2-p network.
It's a good downloading client for user, while a very bad client for sysadmin and netadmin.
On 29/08/08 8:35 PM, "Mike Zanker" mike@zanker.org wrote:
Recently I've been seeing hundreds of requests over a short space of time for the CentOS 2 isos, always from a single IP address, always Chinese IP addresses.
We're not operating an official CentOS mirror (yet), but we do notice similar behaviour on our Apache mirror.
Sometimes we'll see up to several hundred simultaneous requests from a single Chinese IP address (almost invariably Chinanet). It got so bad that we had to put in mod_limitipconn to return a 503 server busy error code to anyone opening more than 5 connections (the first 5 connections work, they just can't open more than that).
That solved the majority of the issues. We still see the requests (error code 503 has been issued 400,000 times so far this month), but at least they can't take up all of the connections anymore.
-Shaun
-
Mike Zanker -
Prof. P. Sriram -
Shaun Ewing -
Zhang Huanjie