So, for whatever reason my mirror seems to be getting targeted by China:
[root@repos ~]# tail -f access.log | grep 403 112.22.135.89 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 183.206.56.187 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 112.22.157.33 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 223.107.42.112 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 112.22.156.85 - - [27/Apr/2022:13:10:53 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 223.107.40.234 - - [27/Apr/2022:13:10:53 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 140.224.157.57 - - [27/Apr/2022:13:10:54 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 223.107.6.85 - - [27/Apr/2022:13:10:54 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 112.22.156.108 - - [27/Apr/2022:13:10:54 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 218.67.20.149 - - [27/Apr/2022:13:10:55 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 120.43.124.48 - - [27/Apr/2022:13:10:55 -0500] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 112.22.152.194 - - [27/Apr/2022:13:10:55 -0500] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 120.43.125.124 - - [27/Apr/2022:13:10:56 -0500] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 223.107.42.113 - - [27/Apr/2022:13:10:56 -0500] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 183.250.140.251 - - [27/Apr/2022:13:10:56 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 112.22.156.51 - - [27/Apr/2022:13:10:56 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 183.250.140.54 - - [27/Apr/2022:13:10:57 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 183.250.140.251 - - [27/Apr/2022:13:10:57 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 121.206.58.145 - - [27/Apr/2022:13:10:57 -0500] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 183.250.141.44 - - [27/Apr/2022:13:10:57 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 183.250.140.191 - - [27/Apr/2022:13:10:57 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 183.250.141.209 - - [27/Apr/2022:13:10:57 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 112.109.212.65 - - [27/Apr/2022:13:10:58 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 112.109.212.13 - - [27/Apr/2022:13:10:58 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 223.107.43.135 - - [27/Apr/2022:13:10:58 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 117.80.215.77 - - [27/Apr/2022:13:10:58 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 117.80.215.137 - - [27/Apr/2022:13:10:59 -0500] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 112.22.152.61 - - [27/Apr/2022:13:11:01 -0500] "GET /centos/8.5.2111/isos/aarch64/CentOS-8.5.2111-aarch64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" 27.158.193.43 - - [27/Apr/2022:13:11:01 -0500] "GET /centos/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso HTTP/1.1" 403 153 "-" "curl/7.29.0"
I geoblocked the country about a week ago, but the requests haven't stopped. It was at the level that it was maxing out my 1gbit/sec link until I did something.
Anyone else seeing anything similar?
On Wed, 27 Apr 2022 at 14:16, Russell Jones arjones85@gmail.com wrote:
So, for whatever reason my mirror seems to be getting targeted by China:
[root@repos ~]# tail -f access.log | grep 403 112.22.135.89 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0"
<deleted>
I geoblocked the country about a week ago, but the requests haven't stopped. It was at the level that it was maxing out my 1gbit/sec link until I did something.
Anyone else seeing anything similar?
I have seen this going for about 10 years with different mirrors. The connections are one of three things: 1. Automated downloaders getting blocked by Great-Firewall configurations getting to a certain point 2. Malware installed on a lot of systems being commanded to download the software and desist. This is usually done to cause bandwidth issues all through the stack. They are either getting stopped by firewalls or just stopping the connections themselves as part of the badness.
From mirror managing Fedora, number 2 seems to be more likely as a lot of
the IP addresses doing this never show up on asking mirrormanager for downloads. Instead they seem to have gotten a list of mirrors from some third party and are being commanded to do the infinite downloads. I don't know if this is similar with what is going on now.
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
We've been noticing the exact same behaviour and are still discussing internally the best way to address it.
On Wed, Apr 27, 2022 at 2:28 PM Stephen Smoogen ssmoogen@redhat.com wrote:
On Wed, 27 Apr 2022 at 14:16, Russell Jones arjones85@gmail.com wrote:
So, for whatever reason my mirror seems to be getting targeted by China:
[root@repos ~]# tail -f access.log | grep 403 112.22.135.89 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0"
<deleted>
I geoblocked the country about a week ago, but the requests haven't stopped. It was at the level that it was maxing out my 1gbit/sec link until I did something.
Anyone else seeing anything similar?
I have seen this going for about 10 years with different mirrors. The connections are one of three things:
- Automated downloaders getting blocked by Great-Firewall configurations
getting to a certain point 2. Malware installed on a lot of systems being commanded to download the software and desist. This is usually done to cause bandwidth issues all through the stack. They are either getting stopped by firewalls or just stopping the connections themselves as part of the badness.
From mirror managing Fedora, number 2 seems to be more likely as a lot of the IP addresses doing this never show up on asking mirrormanager for downloads. Instead they seem to have gotten a list of mirrors from some third party and are being commanded to do the infinite downloads. I don't know if this is similar with what is going on now.
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
-- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Wasn't it fixed by blockeing specific user agent?
#Bad User agents
map $http_user_agent $isbadbrowser {
default 0;
"~*Mozilla/5.0 (Linux; Android)" 1;
"~*Chrome/49.0.2623.87" 1;
"~*Firefox/3.6.3" 1;
}
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Paul Mezzanini paul@themezz.com Sent: Wednesday, April 27, 2022 11:55:50 AM To: Mailing list for CentOS mirrors. centos-mirror@centos.org Subject: Re: [CentOS-mirror] Chinese addresses requesting excessive iso's?
We've been noticing the exact same behaviour and are still discussing internally the best way to address it.
On Wed, Apr 27, 2022 at 2:28 PM Stephen Smoogen < ssmoogen@redhat.commailto:ssmoogen@redhat.com> wrote:
On Wed, 27 Apr 2022 at 14:16, Russell Jones < arjones85@gmail.commailto:arjones85@gmail.com> wrote: So, for whatever reason my mirror seems to be getting targeted by China:
[root@repos ~]# tail -f access.log | grep 403 112.22.135.89 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0"
<deleted> I geoblocked the country about a week ago, but the requests haven't stopped. It was at the level that it was maxing out my 1gbit/sec link until I did something.
Anyone else seeing anything similar?
I have seen this going for about 10 years with different mirrors. The connections are one of three things: 1. Automated downloaders getting blocked by Great-Firewall configurations getting to a certain point 2. Malware installed on a lot of systems being commanded to download the software and desist. This is usually done to cause bandwidth issues all through the stack. They are either getting stopped by firewalls or just stopping the connections themselves as part of the badness.
From mirror managing Fedora, number 2 seems to be more likely as a lot of the IP addresses doing this never show up on asking mirrormanager for downloads. Instead they seem to have gotten a list of mirrors from some third party and are being commanded to do the infinite downloads. I don't know if this is similar with what is going on now.
_______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.orgmailto:CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
-- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.orgmailto:CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror ________________________________ From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Paul Mezzanini paul@themezz.com Sent: Wednesday, April 27, 2022 11:55:50 AM To: Mailing list for CentOS mirrors. centos-mirror@centos.org Subject: Re: [CentOS-mirror] Chinese addresses requesting excessive iso's?
We've been noticing the exact same behaviour and are still discussing internally the best way to address it.
On Wed, Apr 27, 2022 at 2:28 PM Stephen Smoogen <ssmoogen@redhat.commailto:ssmoogen@redhat.com> wrote:
On Wed, 27 Apr 2022 at 14:16, Russell Jones <arjones85@gmail.commailto:arjones85@gmail.com> wrote: So, for whatever reason my mirror seems to be getting targeted by China:
[root@repos ~]# tail -f access.log | grep 403 112.22.135.89 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0"
<deleted> I geoblocked the country about a week ago, but the requests haven't stopped. It was at the level that it was maxing out my 1gbit/sec link until I did something.
Anyone else seeing anything similar?
I have seen this going for about 10 years with different mirrors. The connections are one of three things: 1. Automated downloaders getting blocked by Great-Firewall configurations getting to a certain point 2. Malware installed on a lot of systems being commanded to download the software and desist. This is usually done to cause bandwidth issues all through the stack. They are either getting stopped by firewalls or just stopping the connections themselves as part of the badness.
From mirror managing Fedora, number 2 seems to be more likely as a lot of the IP addresses doing this never show up on asking mirrormanager for downloads. Instead they seem to have gotten a list of mirrors from some third party and are being commanded to do the infinite downloads. I don't know if this is similar with what is going on now.
_______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.orgmailto:CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
-- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.orgmailto:CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
This is an old problem, I have already re-posted the solution once - the original author was the TUNA Mirror Team.
https://lists.centos.org/pipermail/centos-mirror/2020-October/024445.html
Maybe it would be a good idea to add this info to the CentOS wiki https://wiki.centos.org/HowTos/CreatePublicMirrors , so it wouldn't be "loop" asked again.
By the way, if a mirror/firewall can't handle a few 403 requests from a few hosts then it's really a big problem. ;)
Have a nice day!
Cheers,
Peter
On 2022. 04. 27. 20:55, Paul Mezzanini wrote:
We've been noticing the exact same behaviour and are still discussing internally the best way to address it.
On Wed, Apr 27, 2022 at 2:28 PM Stephen Smoogen <ssmoogen@redhat.com mailto:ssmoogen@redhat.com> wrote:
On Wed, 27 Apr 2022 at 14:16, Russell Jones <arjones85@gmail.com <mailto:arjones85@gmail.com>> wrote: So, for whatever reason my mirror seems to be getting targeted by China: [root@repos ~]# tail -f access.log | grep 403 112.22.135.89 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" <deleted> I geoblocked the country about a week ago, but the requests haven't stopped. It was at the level that it was maxing out my 1gbit/sec link until I did something. Anyone else seeing anything similar? I have seen this going for about 10 years with different mirrors. The connections are one of three things: 1. Automated downloaders getting blocked by Great-Firewall configurations getting to a certain point 2. Malware installed on a lot of systems being commanded to download the software and desist. This is usually done to cause bandwidth issues all through the stack. They are either getting stopped by firewalls or just stopping the connections themselves as part of the badness. From mirror managing Fedora, number 2 seems to be more likely as a lot of the IP addresses doing this never show up on asking mirrormanager for downloads. Instead they seem to have gotten a list of mirrors from some third party and are being commanded to do the infinite downloads. I don't know if this is similar with what is going on now. _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org <mailto:CentOS-mirror@centos.org> https://lists.centos.org/mailman/listinfo/centos-mirror -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org <mailto:CentOS-mirror@centos.org> https://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
This is an old problem, I have already re-posted the solution once - the original author was the TUNA Mirror Team. https://lists.centos.org/pipermail/centos-mirror/2020-October/024445.html Maybe it would be a good idea to add this info to the CentOS wiki https://wiki.centos.org/HowTos/CreatePublicMirrors , so it wouldn't be "loop" asked again. By the way, if a mirror/firewall can't handle a few 403 requests from a few hosts then it's really a big problem. ;)
Thanks for the info. Blocking China solved the problem for me. The 403's that are now being generated from me blocking China wasn't the issue - Having 50+ hosts all requesting 8GB iso files over and over again was the issue. ;)
On Wed, Apr 27, 2022 at 3:17 PM Quantum Mirror root@quantum-mirror.hu wrote:
This is an old problem, I have already re-posted the solution once - the original author was the TUNA Mirror Team.
https://lists.centos.org/pipermail/centos-mirror/2020-October/024445.html
Maybe it would be a good idea to add this info to the CentOS wiki https://wiki.centos.org/HowTos/CreatePublicMirrors , so it wouldn't be "loop" asked again.
By the way, if a mirror/firewall can't handle a few 403 requests from a few hosts then it's really a big problem. ;)
Have a nice day!
Cheers,
Peter
On 2022. 04. 27. 20:55, Paul Mezzanini wrote:
We've been noticing the exact same behaviour and are still discussing internally the best way to address it.
On Wed, Apr 27, 2022 at 2:28 PM Stephen Smoogen ssmoogen@redhat.com wrote:
On Wed, 27 Apr 2022 at 14:16, Russell Jones arjones85@gmail.com wrote:
So, for whatever reason my mirror seems to be getting targeted by China:
[root@repos ~]# tail -f access.log | grep 403 112.22.135.89 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0"
<deleted>
I geoblocked the country about a week ago, but the requests haven't stopped. It was at the level that it was maxing out my 1gbit/sec link until I did something.
Anyone else seeing anything similar?
I have seen this going for about 10 years with different mirrors. The connections are one of three things:
- Automated downloaders getting blocked by Great-Firewall configurations
getting to a certain point 2. Malware installed on a lot of systems being commanded to download the software and desist. This is usually done to cause bandwidth issues all through the stack. They are either getting stopped by firewalls or just stopping the connections themselves as part of the badness.
From mirror managing Fedora, number 2 seems to be more likely as a lot of the IP addresses doing this never show up on asking mirrormanager for downloads. Instead they seem to have gotten a list of mirrors from some third party and are being commanded to do the infinite downloads. I don't know if this is similar with what is going on now.
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
-- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing listCentOS-mirror@centos.orghttps://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Hi,
We've seen this sort of traffic as well for quite a while now. We didn't want to block just by user-agent, but we did notice that all the requests were for a random Range, not for the entire iso.
We drop the traffic completely with the following ModSecurity rule:
SecRule REQUEST_BASENAME .iso$ "id:1,phase:1,chain,drop,msg:'Drop weird Chinese traffic'" SecRule REQUEST_HEADERS_NAMES Range "chain" SecRule REQUEST_HEADERS:User-Agent "^Mozilla/"
This behavior is pretty weird, I don't understand why they would be doing it. I don't think it's Stephen's first theory because the downloads continue for the entire ISO if ignore the Range server-side, so there is no firewall cutting off the connection in the middle. The second theory doesn't make sense either, if your goal is to saturate the network connection, why download just a small part of the ISO instead of the full thing over and over again? The clients are also only active for for 20.5 hours of the day, they basically stop between 11:30 GMT and 15:00 GMT. Bots need to rest too, I guess...
Cheers, Alex
On 4/28/22 06:40, Russell Jones wrote:
This is an old problem, I have already re-posted the solution once - the original author was the TUNA Mirror Team. https://lists.centos.org/pipermail/centos-mirror/2020-October/024445.html <https://lists.centos.org/pipermail/centos-mirror/2020-October/024445.html>Maybe it would be a good idea to add this info to the CentOS wiki https://wiki.centos.org/HowTos/CreatePublicMirrors <https://wiki.centos.org/HowTos/CreatePublicMirrors> , so it wouldn't be "loop" asked again. By the way, if a mirror/firewall can't handle a few 403 requests from a few hosts then it's really a big problem. ;)Thanks for the info. Blocking China solved the problem for me. The 403's that are now being generated from me blocking China wasn't the issue - Having 50+ hosts all requesting 8GB iso files over and over again was the issue. ;)
On Wed, Apr 27, 2022 at 3:17 PM Quantum Mirror <root@quantum-mirror.hu mailto:root@quantum-mirror.hu> wrote:
This is an old problem, I have already re-posted the solution once - the original author was the TUNA Mirror Team. https://lists.centos.org/pipermail/centos-mirror/2020-October/024445.html <https://lists.centos.org/pipermail/centos-mirror/2020-October/024445.html> Maybe it would be a good idea to add this info to the CentOS wiki https://wiki.centos.org/HowTos/CreatePublicMirrors <https://wiki.centos.org/HowTos/CreatePublicMirrors> , so it wouldn't be "loop" asked again. By the way, if a mirror/firewall can't handle a few 403 requests from a few hosts then it's really a big problem. ;) Have a nice day! Cheers, Peter On 2022. 04. 27. 20:55, Paul Mezzanini wrote:We've been noticing the exact same behaviour and are still discussing internally the best way to address it. On Wed, Apr 27, 2022 at 2:28 PM Stephen Smoogen <ssmoogen@redhat.com <mailto:ssmoogen@redhat.com>> wrote: On Wed, 27 Apr 2022 at 14:16, Russell Jones <arjones85@gmail.com <mailto:arjones85@gmail.com>> wrote: So, for whatever reason my mirror seems to be getting targeted by China: [root@repos ~]# tail -f access.log | grep 403 112.22.135.89 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0" <deleted> I geoblocked the country about a week ago, but the requests haven't stopped. It was at the level that it was maxing out my 1gbit/sec link until I did something. Anyone else seeing anything similar? I have seen this going for about 10 years with different mirrors. The connections are one of three things: 1. Automated downloaders getting blocked by Great-Firewall configurations getting to a certain point 2. Malware installed on a lot of systems being commanded to download the software and desist. This is usually done to cause bandwidth issues all through the stack. They are either getting stopped by firewalls or just stopping the connections themselves as part of the badness. From mirror managing Fedora, number 2 seems to be more likely as a lot of the IP addresses doing this never show up on asking mirrormanager for downloads. Instead they seem to have gotten a list of mirrors from some third party and are being commanded to do the infinite downloads. I don't know if this is similar with what is going on now. _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org <mailto:CentOS-mirror@centos.org> https://lists.centos.org/mailman/listinfo/centos-mirror <https://lists.centos.org/mailman/listinfo/centos-mirror> -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org <mailto:CentOS-mirror@centos.org> https://lists.centos.org/mailman/listinfo/centos-mirror <https://lists.centos.org/mailman/listinfo/centos-mirror> _______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org <mailto:CentOS-mirror@centos.org> https://lists.centos.org/mailman/listinfo/centos-mirror <https://lists.centos.org/mailman/listinfo/centos-mirror>_______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org <mailto:CentOS-mirror@centos.org> https://lists.centos.org/mailman/listinfo/centos-mirror <https://lists.centos.org/mailman/listinfo/centos-mirror>
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Yeah, we are seeing it too on FCIX, bad enough that we've backed the micro-mirrors out from serving CentOS because we didn't want those to get overrun (single 1gbe connection on those).
On 4/27/2022 11:55 AM, Paul Mezzanini wrote:
We've been noticing the exact same behaviour and are still discussing internally the best way to address it.
Don't know a good way to handle it other than do the blocking on the agent strings mentioned elsewhere. At least with our stats collection it all seems to be coming from only one or two ASNs, so it might be worth just publishing a "block all these IPs that originate at these ASNs" too as, effectively, known bad actors.
- John 'Warthog9' Hawley
On Wed, 27 Apr 2022 at 14:27, Stephen Smoogen ssmoogen@redhat.com wrote:
On Wed, 27 Apr 2022 at 14:16, Russell Jones arjones85@gmail.com wrote:
So, for whatever reason my mirror seems to be getting targeted by China:
[root@repos ~]# tail -f access.log | grep 403 112.22.135.89 - - [27/Apr/2022:13:10:52 -0500] "GET /centos/7.9.2009/isos/x86_64/CentOS-7-x86_64-Everything-2009.iso HTTP/1.1" 403 153 "-" "curl/7.29.0"
<deleted>
There was a centos-infra ticket on this earlier this week https://pagure.io/centos-infra/issue/758 and curl/7.29.0 is the default C7 curl. Looking at the Fedora mirrormanager stats that is a minority of tools pulling epel-7 requests and probably C7 also. Probably find to put in a webserver filter which just rejects that as a tool to the mirror.
I geoblocked the country about a week ago, but the requests haven't
stopped. It was at the level that it was maxing out my 1gbit/sec link until I did something.
Anyone else seeing anything similar?
I have seen this going for about 10 years with different mirrors. The connections are one of three things:
- Automated downloaders getting blocked by Great-Firewall configurations
getting to a certain point 2. Malware installed on a lot of systems being commanded to download the software and desist. This is usually done to cause bandwidth issues all through the stack. They are either getting stopped by firewalls or just stopping the connections themselves as part of the badness.
From mirror managing Fedora, number 2 seems to be more likely as a lot of the IP addresses doing this never show up on asking mirrormanager for downloads. Instead they seem to have gotten a list of mirrors from some third party and are being commanded to do the infinite downloads. I don't know if this is similar with what is going on now.
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
-- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
-
Alex Iribarren -
Alexandre Leonenko -
John 'Warthog9' Hawley -
Paul Mezzanini -
Quantum Mirror -
Russell Jones -
Stephen Smoogen