[CentOS-mirror] Hundreds of requests for CentOS 2 isos from Chinese IP addresses

Fri Aug 29 15:07:58 UTC 2008
Prof. P. Sriram <sriram at ae.iitm.ac.in>

On Fri, 29 Aug 2008, Mike Zanker wrote:
> Recently I've been seeing hundreds of requests over a short space of
> time for the CentOS 2 isos, always from a single IP address, always
> Chinese IP addresses.
> 
> Anybody else seeing these, or know what they are trying to do? It almost
> looks like some sort of DoS attack.

we (ftp.iitm.ac.in) also run a fedora mirror and this was a chronic 
problem with that. we have not noticed this problem with the centos 
mirror. actually, they are 'legitimate' requests in the sense that they 
appear to be requests for partial downloads; however, with the rate at 
which the requests come in, it effectively becomes a dos attack. we have 
implemented per ip connection limit to stop this and it is very effective. 
there are several ways to do this; one possible way is to use the 
limitipconn module of apache and put the following lines in the httpd.conf 
file.

        <IfModule mod_limitipconn.c>
                <Location />
                MaxConnPerIP 3
                </Location>
        </IfModule>


-- 
sriram