hi
This issue has been running for several days and finally I decided to check the stats: we have noticed a sudden increase in bandwidth used by one of our mirrors.
Our other mirror's traffic pales compared to this one. A sustained traffic of 600-800mbps when others hardly reaches 50-70mbps.
We checked the stats and noticed that the most downloaded file, summing up several TB is CentOS-7.8.2003/isos/x86_64/CentOS-7-x86_64-Everything-2003.iso, it has been downloaded several times summing up 5.21TB in the last 7 days.
BTW 5.21TB of the traffic from this mirror goes to China.
One single IP: 112.95.214.226 has tried to connect to our mirror 17516 times. And in sum 8 IPs from China has actually downloaded several CentOS isos in the last 7 days: in total we have served 26113 connections only to access .iso files (CentOS-7 and CentOS-8) from those 8 ips:
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
BTW: Why is centos-8.1.1911 isos being served even when centos-8.2.2003 has been available for a long time? Why isn't centos-8.1.19.11 being moved to vault?
regards
Ernesto Perez-- CSIRT-CEDIA
Ladrón de Guevara E11-253 y Andalucía, EPN, Casa Patrimonial. Quito - Ecuador Telf: (593) 7 407 9300 Ext. 115 csirt@cedia.org.ec / [1]https://csirt.cedia.org.ec
Hi there,
On Oct 5, 2020, at 20:24, CEDIA FOSS Mirrors via CentOS-mirror centos-mirror@centos.org wrote:
hi
<snip>
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
We did encounter the same issues with the same IP addresses and same iso file. Till now I thought it was an isolated issue..
— Bogdan-Stefan Rotariu CTO,Founder Chroot Network SRL WEB: http://www.chroot.ro Phone: +40-731-247-668 Suport tehnic: suport@chroot.ro Suport vanzari: vanzari@chroot.ro Contact general: contact@chroot.ro
We can confirm being hit by 27.221.66.0/24 pulling the same iso as well. What action was taken to address this by your networks?
Thanks,
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Bogdan-Stefan Rotariu bogdan.rotariu@chroot.ro Reply to: "Mailing list for CentOS mirrors." centos-mirror@centos.org Date: Monday, 5 October 2020 at 9:30 PM To: CEDIA FOSS Mirrors mirror@cedia.org.ec, "Mailing list for CentOS mirrors." centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
[EXTERNAL EMAIL] This is an external email, please make sure the sender is well known before clicking on any link or opening an attachment, if spam report it to CIRT@afghan-wireless.com
Hi there,
On Oct 5, 2020, at 20:24, CEDIA FOSS Mirrors via CentOS-mirror centos-mirror@centos.org wrote: hi
<snip>
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
We did encounter the same issues with the same IP addresses and same iso file. Till now I thought it was an isolated issue..
— Bogdan-Stefan Rotariu CTO,Founder Chroot Network SRL WEB: http://www.chroot.rohttp://track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=http%3a%2f%2fwww.chroot.ro%3futm_source%3d%26utm_medium%3demail%26utm_campaign%3dunspecified&t=&e=contact%40chroot.ro&h=8a6c74da Phone: +40-731-247-668tel:+40-731-247-668 Suport tehnic: suport@chroot.romailto:suport@chroot.ro Suport vanzari: vanzari@chroot.romailto:vanzari@chroot.ro Contact general: contact@chroot.romailto:contact@chroot.ro
10/05/2020 12:40 - Thomas Enos wrote: We can confirm being hit by 27.221.66.0/24 pulling the same iso as well. What action was taken to address this by your networks?
hi Thomas there are several approaches that could be taken: - block the whole country (using geoiplookup) - block the whole country from downloading iso files - block the list of IPs - If the attacks persist from other IPs, then it is advisable to create a list of IPs we can use here to share IPs trying to dos our mirrors. This way everybody could use the list to block connections from them.
other suggestions are welcome regards epe
Thanks,
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Bogdan-Stefan Rotariu bogdan.rotariu@chroot.ro Reply to: "Mailing list for CentOS mirrors." centos-mirror@centos.org Date: Monday, 5 October 2020 at 9:30 PM To: CEDIA FOSS Mirrors mirror@cedia.org.ec, "Mailing list for CentOS mirrors." centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
[EXTERNAL EMAIL] This is an external email, please make sure the sender is well known before clicking on any link or opening an attachment, if spam report it to CIRT@afghan-wireless.com
Hi there,
On Oct 5, 2020, at 20:24, CEDIA FOSS Mirrors via CentOS-mirror centos-mirror@centos.org wrote: hi
<snip>
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
We did encounter the same issues with the same IP addresses and same iso file. Till now I thought it was an isolated issue..
— Bogdan-Stefan Rotariu CTO,Founder Chroot Network SRL WEB: [1]http://www.chroot.ro<[2]http://track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=ht... Phone: +40-731-247-668tel:+40-731-247-668 Suport tehnic: suport@chroot.romailto:suport@chroot.ro Suport vanzari: vanzari@chroot.romailto:vanzari@chroot.ro Contact general: contact@chroot.romailto:contact@chroot.ro
[1] http://www.chroot.ro [2] http://track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=ht...
Yes,
Our mirror mirror.papua.go.id in Indonesia also got massive ISO download from IP 27.221.66.0/24, and also massive access from OVH, Amazon AWS and Google Cloud outside Indonesia.
But, we already set bandwidth limit for international connection but no limit with domestic, since our mirror designed to serve Indonesian/domestic users via Indonesia OpenIXP.
SRS -- Pemerintah Provinsi Papua https://www.papua.go.id
2020-10-06 2:34 GMT+09.00, Thomas Enos thomas.enos@afghan-wireless.com:
We can confirm being hit by 27.221.66.0/24 pulling the same iso as well. What action was taken to address this by your networks?
Thanks,
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Bogdan-Stefan Rotariu bogdan.rotariu@chroot.ro Reply to: "Mailing list for CentOS mirrors." centos-mirror@centos.org Date: Monday, 5 October 2020 at 9:30 PM To: CEDIA FOSS Mirrors mirror@cedia.org.ec, "Mailing list for CentOS mirrors." centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
[EXTERNAL EMAIL] This is an external email, please make sure the sender is well known before clicking on any link or opening an attachment, if spam report it to CIRT@afghan-wireless.com
Hi there,
On Oct 5, 2020, at 20:24, CEDIA FOSS Mirrors via CentOS-mirror centos-mirror@centos.org wrote: hi
<snip>
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
We did encounter the same issues with the same IP addresses and same iso file. Till now I thought it was an isolated issue..
— Bogdan-Stefan Rotariu CTO,Founder Chroot Network SRL WEB: http://www.chroot.rohttp://track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=http%3a%2f%2fwww.chroot.ro%3futm_source%3d%26utm_medium%3demail%26utm_campaign%3dunspecified&t=&e=contact%40chroot.ro&h=8a6c74da Phone: +40-731-247-668tel:+40-731-247-668 Suport tehnic: suport@chroot.romailto:suport@chroot.ro Suport vanzari: vanzari@chroot.romailto:vanzari@chroot.ro Contact general: contact@chroot.romailto:contact@chroot.ro
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Hi Thomas,
You could simply use GeoIP Blocking to filter out any traffic from China. Here's a link to achieve this for Apache: https://www.cloudibee.com/geoip-based-country-blocking-for-apache/.
Regards, Christopher Hawker
________________________________ From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Thomas Enos thomas.enos@afghan-wireless.com Sent: Tuesday, 6 October 2020 4:34 AM To: Mailing list for CentOS mirrors. centos-mirror@centos.org; CEDIA FOSS Mirrors mirror@cedia.org.ec Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
We can confirm being hit by 27.221.66.0/24 pulling the same iso as well. What action was taken to address this by your networks?
Thanks,
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Bogdan-Stefan Rotariu bogdan.rotariu@chroot.ro Reply to: "Mailing list for CentOS mirrors." centos-mirror@centos.org Date: Monday, 5 October 2020 at 9:30 PM To: CEDIA FOSS Mirrors mirror@cedia.org.ec, "Mailing list for CentOS mirrors." centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
[EXTERNAL EMAIL] This is an external email, please make sure the sender is well known before clicking on any link or opening an attachment, if spam report it to CIRT@afghan-wireless.com
Hi there,
On Oct 5, 2020, at 20:24, CEDIA FOSS Mirrors via CentOS-mirror centos-mirror@centos.org wrote: hi
<snip>
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
We did encounter the same issues with the same IP addresses and same iso file. Till now I thought it was an isolated issue..
— Bogdan-Stefan Rotariu CTO,Founder Chroot Network SRL WEB: http://www.chroot.rohttp://track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=http%3a%2f%2fwww.chroot.ro%3futm_source%3d%26utm_medium%3demail%26utm_campaign%3dunspecified&t=&e=contact%40chroot.ro&h=8a6c74da Phone: +40-731-247-668tel:+40-731-247-668 Suport tehnic: suport@chroot.romailto:suport@chroot.ro Suport vanzari: vanzari@chroot.romailto:vanzari@chroot.ro Contact general: contact@chroot.romailto:contact@chroot.ro
_______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Hello,
We also had the same problem and blocked China. Problem solved.
6.10.2020 01:23 tarihinde Christopher Hawker yazdı:
Hi Thomas,
You could simply use GeoIP Blocking to filter out any traffic from China. Here's a link to achieve this for Apache: https://www.cloudibee.com/geoip-based-country-blocking-for-apache/.
Regards, Christopher Hawker
*From:* CentOS-mirror centos-mirror-bounces@centos.org on behalf of Thomas Enos thomas.enos@afghan-wireless.com *Sent:* Tuesday, 6 October 2020 4:34 AM *To:* Mailing list for CentOS mirrors. centos-mirror@centos.org; CEDIA FOSS Mirrors mirror@cedia.org.ec *Subject:* Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror We can confirm being hit by 27.221.66.0/24 pulling the same iso as well. What action was taken to address this by your networks?
Thanks,
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Bogdan-Stefan Rotariu bogdan.rotariu@chroot.ro Reply to: "Mailing list for CentOS mirrors." centos-mirror@centos.org Date: Monday, 5 October 2020 at 9:30 PM To: CEDIA FOSS Mirrors mirror@cedia.org.ec, "Mailing list for CentOS mirrors." centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
[EXTERNAL EMAIL] This is an external email, please make sure the sender is well known before clicking on any link or opening an attachment, if spam report it to CIRT@afghan-wireless.com
Hi there,
On Oct 5, 2020, at 20:24, CEDIA FOSS Mirrors via CentOS-mirror centos-mirror@centos.org wrote: hi
<snip>
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
We did encounter the same issues with the same IP addresses and same iso file. Till now I thought it was an isolated issue..
— Bogdan-Stefan Rotariu CTO,Founder Chroot Network SRL WEB: http://www.chroot.rohttp://track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=http%3a%2f%2fwww.chroot.ro%3futm_source%3d%26utm_medium%3demail%26utm_campaign%3dunspecified&t=&e=contact%40chroot.ro&h=8a6c74da Phone: +40-731-247-668tel:+40-731-247-668 Suport tehnic: suport@chroot.romailto:suport@chroot.ro Suport vanzari: vanzari@chroot.romailto:vanzari@chroot.ro Contact general: contact@chroot.romailto:contact@chroot.ro
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Hello,
We also had a similar issue in 2019
May 2019 6768.16 GB
Jun 2019 4571.42 GB
Jul 2019 5033308.72 GB
Aug 2019 1665015.47 GB
Sep 2019 480864.23 GB
Oct 2019 7492.56 GB
All of the increase in traffic was China networks.
In my case we waited it out and still have about 50% over normal from China.
We were wondering what CentOS’ position on geoblocking is?
Good day,
Didier
Didier Aeschimann Calgah Computer Systems Ltd. / IT Security Division 1405 Henri-Bourassa E. Montreal, Quebec, Canada H2C 1H1 Tel:(514) 335 0405 Fax. (514) 335 6541 Email: nospam@redwarning.com, didier@calgah.com http://www.calgah.com
From: CentOS-mirror centos-mirror-bounces@centos.org On Behalf Of Cihan Nimsi via CentOS-mirror Sent: October-06-20 09:23 To: centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
Hello,
We also had the same problem and blocked China. Problem solved.
6.10.2020 01:23 tarihinde Christopher Hawker yazdı:
Hi Thomas,
You could simply use GeoIP Blocking to filter out any traffic from China. Here's a link to achieve this for Apache: https://www.cloudibee.com/geoip-based-country-blocking-for-apache/.
Regards,
Christopher Hawker
_____
From: CentOS-mirror mailto:centos-mirror-bounces@centos.org centos-mirror-bounces@centos.org on behalf of Thomas Enos mailto:thomas.enos@afghan-wireless.com thomas.enos@afghan-wireless.com Sent: Tuesday, 6 October 2020 4:34 AM To: Mailing list for CentOS mirrors. mailto:centos-mirror@centos.org centos-mirror@centos.org; CEDIA FOSS Mirrors mailto:mirror@cedia.org.ec mirror@cedia.org.ec Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
We can confirm being hit by 27.221.66.0/24 pulling the same iso as well. What action was taken to address this by your networks?
Thanks,
From: CentOS-mirror mailto:centos-mirror-bounces@centos.org centos-mirror-bounces@centos.org on behalf of Bogdan-Stefan Rotariu mailto:bogdan.rotariu@chroot.ro bogdan.rotariu@chroot.ro Reply to: "Mailing list for CentOS mirrors." mailto:centos-mirror@centos.org centos-mirror@centos.org Date: Monday, 5 October 2020 at 9:30 PM To: CEDIA FOSS Mirrors mailto:mirror@cedia.org.ec mirror@cedia.org.ec, "Mailing list for CentOS mirrors." mailto:centos-mirror@centos.org centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
[EXTERNAL EMAIL] This is an external email, please make sure the sender is well known before clicking on any link or opening an attachment, if spam report it to CIRT@afghan-wireless.com mailto:CIRT@afghan-wireless.com
Hi there,
On Oct 5, 2020, at 20:24, CEDIA FOSS Mirrors via CentOS-mirror mailto:centos-mirror@centos.org centos-mirror@centos.org wrote: hi
<snip>
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
We did encounter the same issues with the same IP addresses and same iso file. Till now I thought it was an isolated issue..
— Bogdan-Stefan Rotariu CTO,Founder Chroot Network SRL WEB: http://www.chroot.ro http://www.chroot.ro%3chttp:/track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=http%3a%2f%2fwww.chroot.ro%3futm_source%3d%26utm_medium%3demail%26utm_campaign%3dunspecified&t=&e=contact%40chroot.ro&h=8a6c74da http://track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=http%3a%2f%2fwww.chroot.ro%3futm_source%3d%26utm_medium%3demail%26utm_campaign%3dunspecified&t=&e=contact%40chroot.ro&h=8a6c74da Phone: +40-731-247-668 tel:+40-731-247-668 tel:+40-731-247-668 Suport tehnic: suport@chroot.ro mailto:suport@chroot.ro mailto:suport@chroot.ro Suport vanzari: vanzari@chroot.ro mailto:vanzari@chroot.ro mailto:vanzari@chroot.ro Contact general: contact@chroot.ro mailto:contact@chroot.ro mailto:contact@chroot.ro
_______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org mailto:CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
_______________________________________________ CentOS-mirror mailing list CentOS-mirror@centos.org mailto:CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
Hi, all
On our servers, the following UAs are blocked and similar repeated requests against large iso files can be rejected:
map $http_user_agent $isbadbrowser { default 0; "~*Mozilla/5.0 (Linux; Android)" 1; "~*Chrome/49.0.2623.87" 1; "~*Firefox/3.6.3" 1; }
According to our experience of operating largest mirror site in China, such User-Agent list is able to protect against most of those traffic, IP blocking is not needed and the list didn't require an update for several years.
Although the root cause not found, we suspect these behavior might be caused by some certain broken software and the problem might already be solved in a later version. It will be appreciated if anyone can report traffic with this pattern from AS4538, and we can try to figure out what is the root cause of such behavior.
Cheers,
Miao Wang
2020年10月06日 21:47,Didier Aeschimann didier@calgah.com 写道:
Hello,
We also had a similar issue in 2019
May 2019 6768.16 GB Jun 2019 4571.42 GB Jul 2019 5033308.72 GB Aug 2019 1665015.47 GB Sep 2019 480864.23 GB Oct 2019 7492.56 GB
All of the increase in traffic was China networks. In my case we waited it out and still have about 50% over normal from China. We were wondering what CentOS’ position on geoblocking is?
Good day,
Didier
Didier Aeschimann Calgah Computer Systems Ltd. / IT Security Division 1405 Henri-Bourassa E. Montreal, Quebec, Canada H2C 1H1 Tel:(514) 335 0405 Fax. (514) 335 6541 Email: nospam@redwarning.com, didier@calgah.com http://www.calgah.com
From: CentOS-mirror centos-mirror-bounces@centos.org On Behalf Of Cihan Nimsi via CentOS-mirror Sent: October-06-20 09:23 To: centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
Hello,
We also had the same problem and blocked China. Problem solved.
6.10.2020 01:23 tarihinde Christopher Hawker yazdı:
Hi Thomas,
You could simply use GeoIP Blocking to filter out any traffic from China. Here's a link to achieve this for Apache: https://www.cloudibee.com/geoip-based-country-blocking-for-apache/.
Regards, Christopher Hawker
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Thomas Enos thomas.enos@afghan-wireless.com Sent: Tuesday, 6 October 2020 4:34 AM To: Mailing list for CentOS mirrors. centos-mirror@centos.org; CEDIA FOSS Mirrors mirror@cedia.org.ec Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
We can confirm being hit by 27.221.66.0/24 pulling the same iso as well. What action was taken to address this by your networks?
Thanks,
From: CentOS-mirror centos-mirror-bounces@centos.org on behalf of Bogdan-Stefan Rotariu bogdan.rotariu@chroot.ro Reply to: "Mailing list for CentOS mirrors." centos-mirror@centos.org Date: Monday, 5 October 2020 at 9:30 PM To: CEDIA FOSS Mirrors mirror@cedia.org.ec, "Mailing list for CentOS mirrors." centos-mirror@centos.org Subject: Re: [CentOS-mirror] [Ticket#2020100504000801] Potential DOS attack against a mirror
[EXTERNAL EMAIL] This is an external email, please make sure the sender is well known before clicking on any link or opening an attachment, if spam report it to CIRT@afghan-wireless.com
Hi there,
On Oct 5, 2020, at 20:24, CEDIA FOSS Mirrors via CentOS-mirror centos-mirror@centos.org wrote: hi
<snip>
112.95.214.226 - China Unicom Guangdong province network 223.88.61.170 - China Mobile Communications Corporation 171.41.7.29 - CHINANET Hubei province network 120.84.10.190 - China Unicom Guangdong province network 27.221.66.104 - China Unicom Shandong province network 27.221.66.105 - China Unicom Shandong province network 112.32.21.93 - China Mobile Communications Corporation 27.221.49.135 - China Unicom Shandong province network
Have you noticed that in your mirrors? look for these IP and notice if they have been trying to continously download iso
We did encounter the same issues with the same IP addresses and same iso file. Till now I thought it was an isolated issue..
— Bogdan-Stefan Rotariu CTO,Founder Chroot Network SRL WEB: http://www.chroot.rohttp://track.chroot.ro/?a=10395&m=&n=&s=12c000000d625fc&u=http%3a%2f%2fwww.chroot.ro%3futm_source%3d%26utm_medium%3demail%26utm_campaign%3dunspecified&t=&e=contact%40chroot.ro&h=8a6c74da Phone: +40-731-247-668tel:+40-731-247-668 Suport tehnic: suport@chroot.romailto:suport@chroot.ro Suport vanzari: vanzari@chroot.romailto:vanzari@chroot.ro Contact general: contact@chroot.romailto:contact@chroot.ro
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
-- İyi Çalışmalar / Best Regards, Cihan Nimsi C-Level Executive
İçerenköy Mh. Ertaç Sk. Ardil İş Merkezi No: 4/2 Kat: 1 Ataşehir/İSTANBUL Telefon +90 850 885 0 558 - 1001 www.guzel.net.tr
Bu e-mailin içeriği gizlidir ve sadece bu e-mailin alıcısına özeldir. Göndericinin izni olmadan bu mesajın 3. taraflarla paylaşılması yasaktır. Eğer bu e-mail size yanlışlıkla gönderildiyse, lütfen bu e-maili yanıtlayıp siliniz, böylece aynı hata tekrar olmayacaktır. The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
10/07/2020 21:50 - TUNA Mirror Team wrote: Hi, all
On our servers, the following UAs are blocked and similar repeated requests against large iso files can be rejected:
map $http_user_agent $isbadbrowser { default 0; "~*Mozilla/5.0 (Linux; Android)" 1; "~*Chrome/49.0.2623.87" 1; "~*Firefox/3.6.3" 1; }
According to our experience of operating largest mirror site in China, such User-Agent list is able to protect against most of those traffic, IP blocking is not needed and the list didn't require an update for several years.
Great to know. I have just implemented it with your suggestion. I will monitor the traffic for 2-3 days and see if it works.
thanks epe
10/12/2020 10:50 - CEDIA FOSS Mirrors via CentOS-mirror wrote: 10/07/2020 21:50 - TUNA Mirror Team wrote: Hi, all
On our servers, the following UAs are blocked and similar repeated requests against large iso files can be rejected:
map $http_user_agent $isbadbrowser { default 0; "~*Mozilla/5.0 (Linux; Android)" 1; "~*Chrome/49.0.2623.87" 1; "~*Firefox/3.6.3" 1; }
According to our experience of operating largest mirror site in China, such User-Agent list is able to protect against most of those traffic, IP blocking is not needed and the list didn't require an update for several years.
Great to know. I have just implemented it with your suggestion. I will monitor the traffic for 2-3 days and see if it works.
hi just to let know that the traffic during this week has been lower than last week when we blocked CN and way lower than 2 weeks ago when we have no control implemented.
So to sum it up: as suggested by TUNA team, by blocking queries based on misbehaved user-agents we were able to lower the traffic in a significant amount (25-30% lower than 2 weeks ago).
regards epe
thanks epe
-
Bogdan-Stefan Rotariu -
CEDIA FOSS Mirrors -
Christopher Hawker -
Cihan Nimsi -
Didier Aeschimann -
Syaiful Rizal (Diskominfo Papua) -
Thomas Enos -
TUNA Mirror Team