[CentOS-mirror] DOS attack downloading DVD isos

Fri Nov 20 02:09:54 UTC 2009
Maulvi Bakar <maulvi at maulvi.net>

On Fri, Nov 20, 2009 at 9:36 AM, Clarkson University Mirror Admin <
mirror-admin at cslabs.clarkson.edu> wrote:

> On Thu, Nov 19, 2009 at 6:50 PM, Bob Bownes <bownes at gmail.com> wrote:
>
>> Anyone else seeing high numbers of requests for the DVD isos from a few
>> discrete locations? I'm getting multiple requests for dvd's from over 500
>> separate locations.
>>
>> Top 10 offenders:
>>
>>    5502 59.37.17.20
>>    6616 123.127.231.205
>>    6662 122.205.13.1
>>    6993 218.69.255.86
>>    7137 210.22.151.90
>>    7648 p108.net059086006.tnc.ne.jp
>>    8809 114.92.117.186
>>   10262 210.72.27.62
>>   11409 114.255.44.131
>>   13682 221.10.84.188
>>
>> Been going on for about the last 24 hours.
>>
>> Thanks,
>> Bob
>>
>
> Bob,
>
> Nice catch.  I'm seeing some of the same IPs (listed below) on my mirror as
> well.  I'm not sure whether I should block them or not though because I'd
> prefer not block people actually getting the ISOs but I also don't need
> bandwidth being consumed for no good reason since my mirror is already
> maxing out it's caps.
>
> Matt
>
>
> 6272  122.205.13.1  http 206
> 1519  114.92.117.186   200
> 4896  210.72.27.62  200
> 2192  114.255.44.131
> 9970  221.10.84.188
>
>
> --
> Mathew S. McCarrell
> Clarkson University '10
>
> mccarrms at gmail.com
> mccarrms at clarkson.edu
> 1-518-314-9214
>
>
> Hi!

I too am being hit, hard..  Although I did not carry DVD iso but the
quasi-DOS on the CD iso files are just as bad. Not just bandwidth
consumption but several dozens simultaneous connections from a single IP. I
think it's due to clients behind these IPs using some kind of download
managers.

So much so it is affecting those others who are grabbing *.rpm's download
performance.

I am tempted to use mod_bw and limit *.iso bandwidth to a reasonable low max
download speed and limitipconn to limit those download manager users to a
reasonable simultaneous connection.


Regards

Maulvi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-mirror/attachments/20091120/e22e7236/attachment-0006.html>